Elasticsearch rejecting mapping update after 3.x/6.x upgrade
883 views
Skip to first unread message
David Bryant
Jan 12, 2018, 11:14:11 AM1/12/18
to Wazuh mailing list
Hello,
My logstash is unable to post new alerts indexes to the elastic cluster after upgrading. The error from logstash-plain.log is:
[2018-01-12T16:09:32,260][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"wazuh-alerts-3.x-2018.01.12", :_type=>"wazuh", :_routing=>nil}, #<LogStash::Event:0x181b7b9f>], :response=>{"index"=>{"_index"=>"wazuh-alerts-3.x-2018.01.12", "_type"=>"wazuh", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"Rejecting mapping update to [wazuh-alerts-3.x-2018.01.12] as the final mapping would have more than 1 type: [agent, wazuh]"}}}}
I am running the logstash config for 3.x.
Kind regards,
David
David Bryant
Jan 12, 2018, 12:11:01 PM1/12/18
to Wazuh mailing list
It looks like elastic 6x does not let you have more than one type in your index template. I do have wazuh and agent in my mappings for GET _template/wazuh. Is it possible that I screwed up the update process? I did delete and recreate the wazuh indicies already.
Javier Castro
Jan 12, 2018, 12:39:33 PM1/12/18
to David Bryant, Wazuh mailing list
Hi David,
you are right, Elastic 6.x doesn't let you have more than one type per index template, that is why we had to change our templates.
Due to that, you also have to reindex de .kibana index for Kibana to work.
We have an upgrading guide you can follow: https://documentation.wazuh.com/current/installation-guide/upgrading/different_major.html#upgrading-different-major
Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1598e907-267e-4e4d-b78d-c2b51ebf9568%40googlegroups.com.
David Bryant
Jan 12, 2018, 12:43:09 PM1/12/18
to Wazuh mailing list
Thanks Javier, my apologies!
Have a nice day,
David
Javier Castro
Jan 12, 2018, 12:44:09 PM1/12/18
to David Bryant, Wazuh mailing list
You're welcome, same to you!
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7d80d16a-5af2-4860-88a3-5606c7dbec08%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages