Filebeat Setup Error During Wazuh 4.14.1 Upgrade: unknown field [order]

345 views
Skip to first unread message

Emre Erdem

unread,
Nov 24, 2025, 3:34:55 AM11/24/25
to Wazuh | Mailing List

Hello,

We are encountering an issue with the Filebeat setup process while attempting to upgrade our Wazuh system from version 4.14.0 to 4.14.1.

Below are the commands we ran and the resulting error output:

# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

Loaded Ingest pipelines
lifecycle policy loading not enabled.
Exiting: error loading template: failed to load template: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}

In prior attempts, we diagnosed this error as an incompatibility with the Filebeat index template (Legacy vs. Composable Templates). We tried removing the order: 0 field from the /etc/filebeat/wazuh-template.json file, but the issue persists (or [if you are now getting the new error: the error changed to unknown field [mappings] after removing order]).

Relevant Wazuh Documentation: https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html#:~:text=Filebeat%20i%C3%A7in%20new,%23

Related External Discussion: https://discuss.elastic.co/t/unkown-key-in-elasticsearch-template-elastic-stack-8-3-3/338100

Given that our Indexer version appears to require the Composable Template structure, what definitive steps should we take to ensure Filebeat correctly loads the template for our environment?

Thank you for your assistance.

Best regards,

Emre

Ifeanyi Onyia Odike

unread,
Nov 24, 2025, 1:49:27 PM11/24/25
to Wazuh | Mailing List
Hello Emre,

I did some research on this issue, but wasn't able to come up with concrete guidance that would help you solve it.
I will relate this internally with the team and get back to you.

Regards,

Emre Erdem

unread,
Nov 25, 2025, 1:38:16 AM11/25/25
to Wazuh | Mailing List
Hello Ifeanyi,

Thank you for your interest. I look forward to hearing from you.

Regards,
Emre

24 Kasım 2025 Pazartesi tarihinde saat 21:49:27 UTC+3 itibarıyla Ifeanyi Onyia Odike şunları yazdı:

Ifeanyi Onyia Odike

unread,
Nov 26, 2025, 6:08:25 AM11/26/25
to Wazuh | Mailing List
Hello 

Can you please share your filebeat version, configuration, and template with me?

  • # filebeat version
  • # cat /etc/filebeat/wazuh-template.json
  • # cat /etc/filebeat/filebeat.yml

I will need this to test and identify the issue.

Regards,

Emre Erdem

unread,
Nov 26, 2025, 6:21:43 AM11/26/25
to Wazuh | Mailing List
Hello Ifeanyi,

After that problem occurred, I went back to my old version via snapshot. Currently running wazuh version: 4.14.0

apt list --installed wazuh-indexer
apt list --installed wazuh-manager
apt list --installed wazuh-dashboard
Listing... Done

wazuh-indexer/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 46 additional versions. Please use the '-a' switch to see them.
Listing... Done
wazuh-manager/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 65 additional versions. Please use the '-a' switch to see them.
Listing... Done
wazuh-dashboard/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 46 additional versions. Please use the '-a' switch to see them.

filebeat version 7.10.2 (amd64), libbeat 7.10.2

File permissons;
ls -al /etc/filebeat/wazuh-template.json && ls -al /etc/filebeat/filebeat.yml
-rw-r--r-- 1 root root 84241 Oct 24 15:52 /etc/filebeat/wazuh-template.json
-rw------- 1 root root 985 May 17  2024 /etc/filebeat/filebeat.yml


filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake...OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2

I am sending the files you requested as attachments.

Best regards,
Emre

26 Kasım 2025 Çarşamba tarihinde saat 14:08:25 UTC+3 itibarıyla Ifeanyi Onyia Odike şunları yazdı:
wazuh-template.json
filebeat.yml

Leo David

unread,
Dec 4, 2025, 4:09:24 AM12/4/25
to Wazuh | Mailing List
Hello,
I am encountering the same issue it seems, after upgarding from 4.12 to 4.14:

filebeat setup --index-management -E output.logstash.enabled=false
lifecycle policy loading not enabled.

Exiting: error loading template: failed to load template: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}. Response body: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}

It seems being a breaking change.
Any thoughts on how to sort this ?

Emre Erdem

unread,
Dec 9, 2025, 12:43:08 AM12/9/25
to Wazuh | Mailing List
Hello İfeanyi,

Any updates?

Best regards,
Emre
4 Aralık 2025 Perşembe tarihinde saat 12:09:24 UTC+3 itibarıyla Leo David şunları yazdı:

Leo David

unread,
Dec 9, 2025, 8:20:41 AM12/9/25
to Emre Erdem, Wazuh | Mailing List
Hello Emre,
In our case, the issue was generated by filebeat being wrongly installed from elastic repo instead of wazuh yum repo. That caused a different version of filebeat to be installed. Once filebeat uninstalled, disabled elastic repo and installed from the correct one, the issue got sorted out.
Could you at least verify if that's the case with your setup as well ?


Best regards,
Leo David

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/2800e79d-4f23-49f3-ae4e-3aa70e759011n%40googlegroups.com.

Ifeanyi Onyia Odike

unread,
Dec 10, 2025, 11:16:25 AM12/10/25
to Wazuh | Mailing List
Hi Emre,

Apologies for the delayed response. 
successfully upgraded my Wazuh from 4.13.0 using the Wazuh upgrade guide in my lab environment without encountering any errors.

Since this is filebeat-related, please confirm that the correct version of the wazuh-template.json file in step 2 of the configuring filebeat section was downloaded to your server, as this might be where the issue originates.

Subsequent to upgrading filebeat, you should also confirm the Filebeat version as suggested by Leo using the command:

# filebeat version

Regards,

Emre Erdem

unread,
Dec 12, 2025, 6:26:01 AM12/12/25
to Wazuh | Mailing List
Hello,

I solved the problem, thank you both. Yes, as Leo said, Filebeat was pulling files from the Elastic repositories, that's why I encountered those errors. First, I checked if it existed with the command:

"ls -al /etc/apt/sources.list.d/" and then I found this version: "/etc/apt/sources.list.d/elastic-8.x.list"

I completely removed this repository, then followed the other update steps one by one, and the upgrade was successful. I can now use it in its most up-to-date form.

Best Regards,
Emre

10 Aralık 2025 Çarşamba tarihinde saat 19:16:25 UTC+3 itibarıyla Ifeanyi Onyia Odike şunları yazdı:
Reply all
Reply to author
Forward
0 new messages