Hi,
This is related to my previous posts about LON and LAT. Anyway, i tried adding basic authentication in my stack. Filebeat works with authentication. I followed the docs (7.3) to setup Logstash, one config is not working:
output {
elasticsearch {
hosts => ["elk21:9200"]
index => "logstash-testdmgw-%{host}-%{+YYYY.MM.dd}"
document_id => "%{host}-%{uuid}"
user => logstash_internal
password => ***********
}
stdout { codec => rubydebug }
}
The above gives out:
[2019-09-26T13:16:32,538][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>"server06.bogo.mysite.com-c11c5ce5-f73a-4fd4-a5b1-aca8efd83906",
:_index=>"logstash-testxmgw-server06.bogo.mysite.com-2019.09.26", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x34a4a3d1],
:response=>{"index"=>{"_index"=>"logstash-testxmgw-server06.bogo.mysite.com-2019.09.26", "_type"=>"_doc", "_id"=>"server06.bogo.mysite.com-c11c5ce5-f73a-4fd4-a5b1-aca8efd83906",
"status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"The [default] mapping cannot be updated on index [logstash-testxmgw-server06.bogo.mysite.com-2019.09.26]
: defaults mappings are not useful anymore now that indices can have at most one type."}}}}
/apps/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
If i change the index name to : bogo-testdmgw-%{host}-%{+YYYY.MM.dd}, it works. I had the role privileges with bogo-* and logstash-*
I had searched the forum and a solution mentioned is to delete the logstash template, restart logstash and it will re-create the template?
Is there a fix without deleting the default logstash template? or is there a way to copy the logstash default template to another template name, let say "bogo".
I'd appreciate any help and advise.
thanks,
sirjune