Filebeat Setup Error During Wazuh 4.14.1 Upgrade: unknown field [order]
Emre Erdem
Hello,
We are encountering an issue with the Filebeat setup process while attempting to upgrade our Wazuh system from version 4.14.0 to 4.14.1.
Below are the commands we ran and the resulting error output:
# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false
Loaded Ingest pipelines
lifecycle policy loading not enabled.
Exiting: error loading template: failed to load template: couldn't load template: 400 Bad Request: {"error":{"root_cause":[{"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"}],"type":"x_content_parse_exception","reason":"[1:2] [index_template] unknown field [order]"},"status":400}
In prior attempts, we diagnosed this error as an incompatibility with the Filebeat index template (Legacy vs. Composable Templates). We tried removing the order: 0 field from the /etc/filebeat/wazuh-template.json file, but the issue persists (or [if you are now getting the new error: the error changed to unknown field [mappings] after removing order]).
Relevant Wazuh Documentation: https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html#:~:text=Filebeat%20i%C3%A7in%20new,%23
Related External Discussion: https://discuss.elastic.co/t/unkown-key-in-elasticsearch-template-elastic-stack-8-3-3/338100
Given that our Indexer version appears to require the Composable Template structure, what definitive steps should we take to ensure Filebeat correctly loads the template for our environment?
Thank you for your assistance.
Best regards,
Emre
Ifeanyi Onyia Odike
I will relate this internally with the team and get back to you.
Emre Erdem
Thank you for your interest. I look forward to hearing from you.
Regards,
Emre
Ifeanyi Onyia Odike
Can you please share your filebeat version, configuration, and template with me?
- # filebeat version
- # cat /etc/filebeat/wazuh-template.json
- # cat /etc/filebeat/filebeat.yml
I will need this to test and identify the issue.
Emre Erdem
After that problem occurred, I went back to my old version via snapshot. Currently running wazuh version: 4.14.0
apt list --installed wazuh-indexer
apt list --installed wazuh-manager
apt list --installed wazuh-dashboard
Listing... Done
wazuh-indexer/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 46 additional versions. Please use the '-a' switch to see them.
Listing... Done
wazuh-manager/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 65 additional versions. Please use the '-a' switch to see them.
Listing... Done
wazuh-dashboard/stable,now 4.14.0-1 amd64 [installed,upgradable to: 4.14.1-1]
N: There are 46 additional versions. Please use the '-a' switch to see them.
filebeat version 7.10.2 (amd64), libbeat 7.10.2
File permissons;
ls -al /etc/filebeat/wazuh-template.json && ls -al /etc/filebeat/filebeat.yml
-rw-r--r-- 1 root root 84241 Oct 24 15:52 /etc/filebeat/wazuh-template.json
-rw------- 1 root root 985 May 17 2024 /etc/filebeat/filebeat.yml
filebeat test output
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake...OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
I am sending the files you requested as attachments.
Best regards,
Emre
