Opensearch output plugin logs full message with "immense term"

reshippie · December 14, 2021, 7:52pm

I just changed from the Elasticsearch output plugin in Logstash 7.12.1 to the Opensearch output plugin in Logstash 7.16.1 to keep things safe from log4shell and I encountered a new behavior. I’m not sure if it’s in the output plugin or Logstash itself, though.

Before I would see a log message like
Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"audit", :routing=>nil}, #<LogStash::Event:0x4adef63b>]
Now instead of getting the event pointer, I get the entire event dumped into my log. This immense log line is then picked up by Filebeat and sent to Logstash.

This then turns into a Yo Dawg Joke of Death. Failing to index the increasingly large log line, logging the new, longer line, then getting it sent back into Logstash.

Does this seem like a problem with the Opensearch plugin or Logstash?
I’m working on my own solutions to this situation, but figured I’m not the only one who’s run into this.

searchymcsearchface · December 15, 2021, 3:10pm

So… something is not right here.

Are you sure you’re using the OpenSearch Output plugin? Because I think the message is coming from the output plugin itself:

github.com

opensearch-project/logstash-output-opensearch/blob/32a8a4343f276c32f7650a2d89c679a33f7bcee5/lib/logstash/plugin_mixins/opensearch/common.rb#L201


      
            # - For a mapping error, we send to dead letter queue for a human to intervene at a later point.
            # - For everything else there's mastercard. Yep, and we retry indefinitely. This should fix #572 and other transient network issues
            if DOC_SUCCESS_CODES.include?(status)
              @document_level_metrics.increment(:successes)
              next
            elsif DOC_CONFLICT_CODE == status
              @document_level_metrics.increment(:non_retryable_failures)
              @logger.warn "Failed action", status: status, action: action, response: response if log_failure_type?(error)
              next
            elsif DOC_DLQ_CODES.include?(status)
              handle_dlq_status("Could not index event to OpenSearch.", action, status, response)
              @document_level_metrics.increment(:non_retryable_failures)
              next
            else
              # only log what the user whitelisted
              @document_level_metrics.increment(:retryable_failures)
              @logger.info "Retrying failed action", status: status, action: action, error: error if log_failure_type?(error)
              actions_to_retry << action
            end
          end

And it should say “Could not index event to OpenSearch.” (similar line in the ES output plugin, except it says “Elasticsearch”)

reshippie · December 15, 2021, 5:57pm

Yeah, I’m using the Opensearch plugin now. The example I posted was the old behavior.
New behavior is
Could not index event to OpenSearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"ecs", :routing=>nil}, {"event"=>{"original"=>
Followed by more than 32KB of data from a single awful log line.

searchymcsearchface · December 16, 2021, 2:41pm

Ok. Well, we’ve a eliminated variable but looks like there still is the problem. Considering that, it seems like a configuration issue outside of the output plugin (or more specifically, ES and OpenSearch output yield the same).

This seems like it’s related to the Logstash dead letter queue which makes me think something is going on with the template in OpenSearch. So, you have something that doesn’t match the template, gets sent to the DLQ (which you’re logging) and the cycle goes on. Maybe try disabling the DLQ in logstash or taking a look at how your templates are matching the incoming data from logstash.

Topic		Replies	Views
Is logstash-output-opensearch project dead without any bug fixes? Where's AWS development/support to help fixing them? General Feedback discuss	3	557	June 14, 2022
Logstash data into Opensearch Open Source Elasticsearch and Kibana troubleshoot , configure , install	7	913	September 20, 2022
Logstash.outputs.opensearch 400 _bulk error OpenSearch	8	2097	June 14, 2023
Logstash Elasticsearch Input Plugin, Request signing Open Source Elasticsearch and Kibana	2	831	December 27, 2021
What is the compatible version of latest Logstash version with Opensearch 2.10.0? OpenSearch	3	593	November 11, 2023

Opensearch output plugin logs full message with "immense term"

Related topics