Winlogbeat: connection to OpenSearch 2.0.0 doesn't work

Hi guys,

I installed opensearch + dashboards v2.0.0 and tried to ship logs from a Windows server machine to OpenSearch.

I use Winlogbeat 7.12.1 (I also tried v7.10 and the current 8.x release), that is recommended for OpenSearch 1.x .

But i can’t establish an connection.
Winlogbeat Log-Output:

2022-06-10T10:09:45.675+0200	ERROR	[elasticsearch]	elasticsearch/client.go:224	failed to perform any bulk index operations: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}
2022-06-10T10:09:47.426+0200	ERROR	[publisher_pipeline_output]	pipeline/output.go:180	failed to publish events: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}
2022-06-10T10:09:47.426+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:143	Connecting to backoff(elasticsearch(https://opensearch-02.ipmlan.ipm.fraunhofer.de:9200))
2022-06-10T10:09:47.426+0200	INFO	[publisher]	pipeline/retry.go:213	retryer: send wait signal to consumer
2022-06-10T10:09:47.426+0200	INFO	[publisher]	pipeline/retry.go:217	  done
2022-06-10T10:09:47.427+0200	INFO	[esclientleg]	eslegclient/connection.go:314	Attempting to connect to Elasticsearch version 2.0.0
2022-06-10T10:09:47.428+0200	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(elasticsearch(https://opensearch-02.ipmlan.ipm.fraunhofer.de:9200)) established
2022-06-10T10:09:47.428+0200	INFO	[publisher]	pipeline/retry.go:213	retryer: send wait signal to consumer
2022-06-10T10:09:47.428+0200	INFO	[publisher]	pipeline/retry.go:217	  done
2022-06-10T10:09:47.433+0200	ERROR	[elasticsearch]	elasticsearch/client.go:224	failed to perform any bulk index operations: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}

My Winlogbeat confugration file:

###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

# ======================== Winlogbeat specific options =========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System
    ignore_older: 72h

  - name: Security
    ignore_older: 72h
# ====================== Elasticsearch template settings =======================

setup.template.settings:
  #index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
setup.template.enabled: false

# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["opensearch-02.ipmlan.ipm.fraunhofer.de:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.verification_mode: none
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "winlogbeat"
  password: "..."
  
  output.elasticsearch.allow_older_versions: true
  setup.ilm.enabled: false
  setup.ilm.check_exists: false
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

I can’t find anything related to this error, so I hope, that somebody of you can help me.
Thank you!

This is a bug which was released in 2.0. The team has a compatibility model fix in the works which you can track. We are targeting next week for a fix.

If you need an immediate workaround, you can route traffic through Logstash and use the OpenSearch output plugin.

1 Like

I could solve the issue by updating to OpenSearch 2.0.1 and by editing the OpenSearch config file with the following entry:
compatibility.override_main_response_version: true

1 Like

I’m still seeing this error with 2.1.0. Has this fix been released yet?

Okay, so apparently setting compatibility.override_main_response_version is a necessary step as well. With that I’m good. I did get:

[2022-07-18T09:01:45,701][WARN ][logstash.outputs.opensearch][main] Detected a node with a higher major version than previously observed, this could be the result of an OpenSearch cluster upgrade {:previous_major=>2, :new_major=>7, :node_url=>"XX/"}

in the log of logstash, hopefully that won’t be problematic.

1 Like