Error after upgrading Wazuh-Indexer from version 4.12.0 to 4.14.0

[João Victor]

Hello,

After upgraded wazuh indexer to the last version it broked. It was in version 4.12.0 previously.I followed the steps on https://documentation.wazuh.com/4.14/upgrade-guide/upgrading-central-components.html as I used to do. I can't start my wazuh-indexer service anymore. Looking inside the logs of the indexer on /var/log/wazuh-indexer/wazuh-cluster.log I can see a problem with mapping an index called [.opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg].This is all-in-one environement.Below is the error with this indice:

[2025-11-25T23:57:41,854][INFO ][o.o.n.Node ] [node-1] initialized [2025-11-25T23:57:41,854][INFO ][o.o.n.Node ] [node-1] starting ... [2025-11-25T23:57:41,932][INFO ][o.o.t.TransportService ] [node-1] publish_address {10.20.10.50:9300}, bound_addresses {[::]:9300} [2025-11-25T23:57:41,933][INFO ][o.o.t.TransportService ] [node-1] Remote clusters initialized successfully. [2025-11-25T23:57:43,332][WARN ][o.o.c.m.MetadataIndexUpgradeService] [node-1] [.opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg] ignoring unknown index setting: [index.correlation] with value [true]; archiving [2025-11-25T23:57:43,334][ERROR][o.o.b.Bootstrap ] [node-1] Exception java.lang.IllegalStateException: unable to upgrade the mappings for the index [[.opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg]] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:252) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.upgradeIndexMetadata(MetadataIndexUpgradeService.java:121) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadata(GatewayMetaState.java:340) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadataForNode(GatewayMetaState.java:322) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.start(GatewayMetaState.java:196) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.node.Node.start(Node.java:1683) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.start(Bootstrap.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:413) [opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) [opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) [opensearch-2.19.3.jar:2.19.3] at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) [opensearch-2.19.3.jar:2.19.3] at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-2.19.3.jar:2.19.3] at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) [opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) [opensearch-2.19.3.jar:2.19.3] Caused by: org.opensearch.index.mapper.MapperParsingException: Failed to parse mapping [_doc]: No handler for type [sa_vector] declared on field [corr_vector] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:480) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:466) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.merge(MapperService.java:452) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:248) ~[opensearch-2.19.3.jar:2.19.3] ... 14 more Caused by: org.opensearch.index.mapper.MapperParsingException: No handler for type [sa_vector] declared on field [corr_vector] at org.opensearch.index.mapper.ObjectMapper$TypeParser.parseProperties(ObjectMapper.java:581) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.ObjectMapper$TypeParser.parseObjectOrDocumentTypeProperties(ObjectMapper.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.RootObjectMapper$TypeParser.parse(RootObjectMapper.java:190) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:146) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:135) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:478) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:466) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.merge(MapperService.java:452) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:248) ~[opensearch-2.19.3.jar:2.19.3] ... 14 more [2025-11-25T23:57:43,339][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [node-1] uncaught exception in thread [main] org.opensearch.bootstrap.StartupException: java.lang.IllegalStateException: unable to upgrade the mappings for the index [[.opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg]] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:185) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:172) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.19.3.jar:2.19.3] at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:138) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:104) ~[opensearch-2.19.3.jar:2.19.3] Caused by: java.lang.IllegalStateException: unable to upgrade the mappings for the index [[.opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg]] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:252) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.upgradeIndexMetadata(MetadataIndexUpgradeService.java:121) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadata(GatewayMetaState.java:340) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadataForNode(GatewayMetaState.java:322) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.start(GatewayMetaState.java:196) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.node.Node.start(Node.java:1683) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.start(Bootstrap.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:413) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.19.3.jar:2.19.3] ... 6 more Caused by: org.opensearch.index.mapper.MapperParsingException: Failed to parse mapping [_doc]: No handler for type [sa_vector] declared on field [corr_vector] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:480) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:466) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.merge(MapperService.java:452) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:248) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.upgradeIndexMetadata(MetadataIndexUpgradeService.java:121) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadata(GatewayMetaState.java:340) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadataForNode(GatewayMetaState.java:322) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.start(GatewayMetaState.java:196) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.node.Node.start(Node.java:1683) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.start(Bootstrap.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:413) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.19.3.jar:2.19.3] ... 6 more Caused by: org.opensearch.index.mapper.MapperParsingException: No handler for type [sa_vector] declared on field [corr_vector] at org.opensearch.index.mapper.ObjectMapper$TypeParser.parseProperties(ObjectMapper.java:581) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.ObjectMapper$TypeParser.parseObjectOrDocumentTypeProperties(ObjectMapper.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.RootObjectMapper$TypeParser.parse(RootObjectMapper.java:190) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:146) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.DocumentMapperParser.parse(DocumentMapperParser.java:135) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:478) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.internalMerge(MapperService.java:466) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.index.mapper.MapperService.merge(MapperService.java:452) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.checkMappingsCompatibility(MetadataIndexUpgradeService.java:248) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.cluster.metadata.MetadataIndexUpgradeService.upgradeIndexMetadata(MetadataIndexUpgradeService.java:121) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadata(GatewayMetaState.java:340) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.upgradeMetadataForNode(GatewayMetaState.java:322) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.gateway.GatewayMetaState.start(GatewayMetaState.java:196) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.node.Node.start(Node.java:1683) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.start(Bootstrap.java:339) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:413) ~[opensearch-2.19.3.jar:2.19.3] at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.19.3.jar:2.19.3] ... 6 more

I deleted the indice 4hpJkKo8RUCNdB-fIRxDEg manually on /var/lib/wazuh-indexer/nodes/0/indices and I tried to restart the service again, but it didn't work...

I found this forum https://groups.google.com/g/wazuh/c/9jouSrkiiM8 related to my issue, but the person whose opened the thread could solve the problem by removing the index via Dev Tools, in my case I can't use Dev Tools because the wazuh-indexer service isn't starting...

[jorge...@wazuh.com]

The error suggests that you have indices with fields that have become outdated. Send me the sanitized output of the ossec.log as well so I can see what is happening there. 

The solution involves deleting or modifying them. To do that, we need to know what indices you have, but we cannot know that since the API is unavailable.

I'll run some tests and I'll get back soon.

Regards.

[João Victor]

Running dpkg -l | grep wazuh We can see the versions of the components:

[João Victor]

Hello Jorge,

I started the upgrade process yesterday night, I could only update wazuh-indexer until now (I stopped updating other components because of this error), wazuh-manager and wazuh-dashboard still in the previous version 4.12.0 yet. I can start wazuh-manager, but I don't think that ossec.log would be relevant in this scenario as the problem is on the indices  ".opensearch-sap-correlation-history-2025.11.12-1/4hpJkKo8RUCNdB-fIRxDEg"  it self.

Exactly, API isn't available as the service couldn't be started. I only can see the indices on /var/lib/wazuh-indexer/nodes/0. I always update our Wazuh following the updated documentation, this time it start to show these errors...

Em quarta-feira, 26 de novembro de 2025 às 13:10:10 UTC-3, jorge...@wazuh.com escreveu:

[jorge...@wazuh.com]

I think something went wrong during the upgrade process, specifically in this step . The error suggests that shard replication was not disabled or the manager was not properly stopped before proceeding with the indexer update. I propose that you continue with the update because I believe Filebeat is trying to send data that is not recognized by the new version of the indexer. Once all your components have been updated, we will check the status of the environment and see if we need to delete indices or index metadata.

I will pay close attention to your feedback until we land on a solution.
Regards.

[João Victor]

Jorge,

There's some way to downgrade wazuh components? In this case wazuh-indexer.

[jorge...@wazuh.com]

Once a component has been updated to version 4.12 or higher, it is not possible to perform a downgrade, as noted in the warning message at the start of the update guide .

Have you tried updating the rest of the components?

Let me know what is the current status of you environment.

[João Victor]

As we couldn't resolve the issue, we performed a backup of the server (hopefully we have this service...) to the previous state before the upgrade, then I did the snapshots of the indices and I removed wazuh-indexer completely, installing it from scratch again. The upgrade of wazuh-indexer  from version 4.12.0 to 4.14.1 didn't work even removing the indice .opensearch-sap-correlation*, it was duplicating the binaries on /usr/share/wazuh-indexer for some reason, like we had /usr/share/wazuh-indexer/lib/opensearch-2.19.1 and opensearch-2.19.3 at the same time causing the error Exception in thread "main" java.lang.AssertionError: Lucene version mismatch this version of OpenSearch requires lucene version [9.12.1] but the current lucene version is [9.12.2], it was weired and made us reinstall wazuh-indexer.