Hi guys,
I installed opensearch + dashboards v2.0.0 and tried to ship logs from a Windows server machine to OpenSearch.
I use Winlogbeat 7.12.1 (I also tried v7.10 and the current 8.x release), that is recommended for OpenSearch 1.x .
But i can’t establish an connection.
Winlogbeat Log-Output:
2022-06-10T10:09:45.675+0200 ERROR [elasticsearch] elasticsearch/client.go:224 failed to perform any bulk index operations: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}
2022-06-10T10:09:47.426+0200 ERROR [publisher_pipeline_output] pipeline/output.go:180 failed to publish events: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}
2022-06-10T10:09:47.426+0200 INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(https://opensearch-02.ipmlan.ipm.fraunhofer.de:9200))
2022-06-10T10:09:47.426+0200 INFO [publisher] pipeline/retry.go:213 retryer: send wait signal to consumer
2022-06-10T10:09:47.426+0200 INFO [publisher] pipeline/retry.go:217 done
2022-06-10T10:09:47.427+0200 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 2.0.0
2022-06-10T10:09:47.428+0200 INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(https://opensearch-02.ipmlan.ipm.fraunhofer.de:9200)) established
2022-06-10T10:09:47.428+0200 INFO [publisher] pipeline/retry.go:213 retryer: send wait signal to consumer
2022-06-10T10:09:47.428+0200 INFO [publisher] pipeline/retry.go:217 done
2022-06-10T10:09:47.433+0200 ERROR [elasticsearch] elasticsearch/client.go:224 failed to perform any bulk index operations: 400 Bad Request: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"}],"type":"illegal_argument_exception","reason":"Action/metadata line [1] contains an unknown parameter [_type]"},"status":400}
My Winlogbeat confugration file:
###################### Winlogbeat Configuration Example ########################
# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html
# ======================== Winlogbeat specific options =========================
# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Security
ignore_older: 72h
# ====================== Elasticsearch template settings =======================
setup.template.settings:
#index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.template.enabled: false
# ================================== General ===================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:
# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["opensearch-02.ipmlan.ipm.fraunhofer.de:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
ssl.verification_mode: none
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "winlogbeat"
password: "..."
output.elasticsearch.allow_older_versions: true
setup.ilm.enabled: false
setup.ilm.check_exists: false
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
I can’t find anything related to this error, so I hope, that somebody of you can help me.
Thank you!