Opensearch 2.3 and logstash 8.4: elastic common schema?

sandro · October 26, 2022, 12:13pm

Hello everyone.

I am trying to setup a docker stack with one opensearch dashboard, two opensearch nodes and one logstash.
I installed the first three docker with docker-compose from the docs.
Then I installed this docker for logstash. I managed to connect them on the same network, but i get this error on logstash:

[2022-10-20T23:07:17,769][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2022-10-20T23:07:17,844][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://opensearch-node1:9200", "https://opensearch-node2:9200"]}
[2022-10-20T23:07:17,880][WARN ][logstash.outputs.elasticsearch][main] You have enabled encryption but DISABLED certificate verification, to make sure your data is secure remove `ssl_certificate_verification => false`
[2022-10-20T23:07:18,127][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://admin:xxxxxx@opensearch-node1:9200/, https://admin:xxxxxx@opensearch-node2:9200/]}}
[2022-10-20T23:07:18,705][ERROR][logstash.javapipeline    ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Could not connect to a compatible version of Elasticsearch>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:245:in `block in healthcheck!'", "org/jruby/RubyHash.java:1519:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:238:in `healthcheck!'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:370:in `update_urls'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:87:in `update_initial_urls'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:81:in `start'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:358:in `build_pool'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:63:in `initialize'", "org/jruby/RubyClass.java:909:in `new'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:106:in `create_http_client'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:102:in `build'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/plugin_mixins/elasticsearch/common.rb:39:in `build_client'", "/usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-elasticsearch-11.6.0-java/lib/logstash/outputs/elasticsearch.rb:279:in `register'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:68:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:233:in `block in register_plugins'", "org/jruby/RubyArray.java:1865:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:232:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:598:in `maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:245:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:190:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:142:in `block in start'"], "pipeline.sources"=>["/usr/share/logstash/pipeline/logstash.conf", "/usr/share/logstash/pipeline/logstash.conf.old"], :thread=>"#<Thread:0x8c290ba run>"}

Dockers were installed with “latest” tag so version are 2.3.0 and 8.4.0 as in the subject.
Here is stated that these two versions should work together setting the Elastic Common Schema.
I see that default for logstash is v8.
Should I set this also in opensearch? How?

Thank you in advance.
S.

shdubsh · October 26, 2022, 2:46pm

HI!

It looks like logstash is configured to use the elasticsearch output plugin which is incompatible with OpenSearch. Have a look at logstash-output-opensearch for a compatible logstash output.

sandro · October 26, 2022, 3:45pm

Thank you @shdubsh for the answer.

I actually used this docker that references the link you just posted.

Am I missing something here?

S.

jasonrojas · October 26, 2022, 4:41pm

Similar to another thread that was posted somewhere on here, check the logstash config, if your output is “elasticsearch” that might be the culprit, the output should be “opensearch”.

sandro · October 26, 2022, 10:30pm

You are right, the culprit was in my pipeline configuration, the output plugin was erroneously set to elasticsearch and not opensearch.
Thank you!

Topic		Replies	Views
Logstash with opensearch docker container Security troubleshoot , configure , install	6	1693	June 22, 2022
Which Logstash version for OpenSearch 2.0.0? OpenSearch troubleshoot	2	672	June 14, 2022
Issues Opensearch and Logstash Docker OpenSearch discuss , troubleshoot , install	0	65	August 1, 2024
Could not connect to a compatible version of Elasticsearch - Opensearch 2.9.0-1 - Logstash OutputPlugin 8.9.0 OpenSearch troubleshoot , configure , install	1	2412	October 11, 2023
Switch to Opensearch from ELK stack OpenSearch configure	13	3142	February 18, 2022

Opensearch 2.3 and logstash 8.4: elastic common schema?

Related topics