Could not index event to Elasticsearch - Logstash with auth


This is related to my previous posts about LON and LAT. Anyway, i tried adding basic authentication in my stack. Filebeat works with authentication. I followed the docs (7.3) to setup Logstash, one config is not working:

output {
elasticsearch {
hosts => ["elk21:9200"]
index => "logstash-testdmgw-%{host}-%{+YYYY.MM.dd}"
document_id => "%{host}-%{uuid}"
user => logstash_internal
password => ***********
stdout { codec => rubydebug }

The above gives out:

[2019-09-26T13:16:32,538][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>"",
:_index=>"", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x34a4a3d1],
:response=>{"index"=>{"_index"=>"", "_type"=>"_doc", "_id"=>"",
"status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"The [default] mapping cannot be updated on index []
: defaults mappings are not useful anymore now that indices can have at most one type."}}}}
/apps/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated

If i change the index name to : bogo-testdmgw-%{host}-%{+YYYY.MM.dd}, it works. I had the role privileges with bogo-* and logstash-*

I had searched the forum and a solution mentioned is to delete the logstash template, restart logstash and it will re-create the template?

Is there a fix without deleting the default logstash template? or is there a way to copy the logstash default template to another template name, let say "bogo".

I'd appreciate any help and advise.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.