Logstash OpenSearch plugin making lots of get and put requests

OpenSearch
1

Logstash version 8.7.2
Logstash output Opensearch plugin version 2.0.1
OpenSearch version 2.9.0

We see a lot of transport request types PutMappingRequest and GetIndexTemplatesRequest from Logstash nodes in the audit log. These all seem to be data streams.

Why does logstash need to PutMappingRequest and GetIndexTemplatesRequest? Seems to be a lot of unneeded processing overhead.

We use index templates for each index and these are not upsert. .

{
“_index”: “cluster_zone_c:–omitted–”,
“_id”: “mQMVP4sB3O87XQp6r2Ei”,
“_version”: 1,
“_score”: null,
“_source”: {
“audit_trace_task_parent_id”: “—omitted—:9058743336”,
“audit_cluster_name”: “–omitted–”,
“audit_transport_headers”: {
“_opendistro_security_remote_address_header”: “–omitted–”,
“_opendistro_security_initial_action_class_header”: “BulkShardRequest”,
“_opendistro_security_origin_header”: “REST”,
“_opendistro_security_user_header”: “–omitted–”,
“_opendistro_security_remotecn”: “–omitted–”
},
“audit_node_name”: “master-2”,
“audit_trace_task_id”: “—omitted—:306110207”,
“audit_transport_request_type”: “PutMappingRequest”,
“audit_category”: “INDEX_EVENT”,
“audit_request_origin”: “REST”,
“audit_request_body”: “{"_doc":{"data_stream_timestamp":{"enabled":true},"properties":{"source":{"properties":{"geo":{"properties":{"dma_code":{"type":"long"}}}}}}}}",
“audit_node_id”: “—omitted—”,
“audit_request_layer”: “TRANSPORT”,
@timestamp”: “2023-10-17T19:21:07.618+00:00”,
“audit_format_version”: 4,
“audit_request_remote_address”: “10.10.10.12”,
“audit_request_privilege”: “indices:admin/mapping/auto_put”,
“audit_node_host_address”: “10.10.10.13”,
“audit_request_effective_user”: “admin”,
“audit_trace_resolved_indices”: [
".ds-log–omitted–000001”
],
“audit_node_host_name”: “10.10.10.13”
},
“fields”: {
@timestamp”: [
“2023-10-17T19:21:07.618Z”
]
},
“highlight”: {
“audit_request_effective_user”: [
@opensearch-dashboards-highlighted-field@admin@/opensearch-dashboards-highlighted-field@”
],
“audit_transport_request_type”: [
@opensearch-dashboards-highlighted-field@PutMappingRequest@/opensearch-dashboards-highlighted-field@”
]
},
“sort”: [
1697570467618
]
}

2

Its part of the default behavior iirc - you can set manage_template => false
in your output config and those requests will stop after restart.