Filebeat OSS fails upgrade version 7.13, required _license index?

This morning I upgraded the filebeat-oss package from version 7.12.1 to 7.13. It was working perfectly and after uprading the package it stopped working. Now fails with the following message:

May 27 11:03:24 hostname filebeat[6466]: 2021-05-27T11:03:24.932+0200 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://ingest:9200)): Connection marked as failed because the onConnect callback failed: could not connect to a compatible version of Elasticsearch: 400 Bad Request: {"error":{"root_cause":[{"type":"invalid_index_name_exception","reason":"Invalid index name [_license], must not start with '_'.","index_uuid":"_na_","index":"_license"}],"type":"invalid_index_name_exception","reason":"Invalid index name [_license], must not start with '_'.","index_uuid":"_na_","index":"_license"},"status":400}

Of course “_license” index is not present.

The elasticsearch cluster has this version:

Ubuntu 18.04.5 LTS
opendistro 1.13.2-1 (deb packages)
elasticsearch-oss 7.10.2

I have checked the matrix compatibility version and it should be compatible:

Anyone with same issue?
Maybe Elastic is angry with opensearch fork and is closing filebeat?

1 Like

It seems this is the code that breaks compatibility:

1 Like

@fbarbeira Yep. There seems to be a similar issue for Logstash doing similar checks. We’re working on a solution, but I don’t have an ETA yet.


@searchymcsearchface any updates on this topic?

I think @searchymcsearchface wont respond, since he moved to new project.
But +1 for this issue. I know there is Logstash 8.4.0 that works but I dont know about Filebeat.

If you are going to use opensearch I think you should consider using fluentbit to send logs.

Actually I am doing experiment with sending events/logs through logstash and having issues with creating/updating the index template manually. I am getting following error:
composable template after composition is invalid
ref: Load the Elasticsearch index template | Metricbeat Reference [8.6] | Elastic

any ideas why? this error comes from opensearch 2.3.0

@fbarbeira do you know if lisence prohibits disabling this check and rebuilding? or it is possible? or maybe there is already forks, did it?

I think Elasticsearch did that on purpose in order to break compatibility and force you to use their products. Because of that my advise is to use one stack or another, right now mix the tools is not a good idea. If you need an extra funcionality of logstash wich fluentbit does not have, you could try Data Prepper - OpenSearch documentation wich I think is the “logstash replacement” of the opensearch community.

If you need an extra funcionality of logstash wich fluentbit does not have

can fluentbit collect kubernetes events?
can fluentbit act as logstash out for metricbeat?

we are looking for metricbeat solution not logstash. If possible we would like to continue using metricbeat if possible look for another solutuin, I already checked shipping events through logstash it works but logstash is java and consume 1.5GB which is too much