My Logstash containers stopped their ingestion when one index pattern is not permitted in ESS.
Code (simplified):
output {
opensearch {
id => "oss_output_cluster-unknown"
hosts => ["${OPENSEARCH_ENDPOINT}"]
auth_type => {
type => 'basic'
user => '${OPENSEARCH_USER}'
password => '${OPENSEARCH_PASSWORD}'
}
index => "%{[fields][indexName]}-ds"
action => "create"
ssl_certificate_verification => false
}
}
Error: [2024-06-07T12:35:42,574][INFO ][logstash.outputs.opensearch][output_oss][oss_output_cluster] Retrying failed action {:status=>403, :action=>[\"create\", {:_id=>nil, :_index=>\"commercialcorp-cclstaging-17507-ds\", :routing=>nil}...}}}], :error=>{\"type\"=>\"security_exception\", \"reason\"=>\"no permissions for [indices:admin/create] and User [name=logstash_user, backend_roles=[], requestedTenant=null]\"}}
My assumption is that this particular document cannot be sent to ESS, but that's not the case. Nothing can come through because of this error.
I finally fixed it by adding this index pattern into the role that Logstash is assuming, but my question is that why failure in ingestion for 1 index will affect the ingestion for the whole pipeline?
OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance. See What is OpenSearch and the OpenSearch Dashboard? | Elastic for more details.
(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )
Are you using multiple pipelines or one pipeline with multiple outputs? You didn't share neither your pipelines.yml nor your entire logstash pipeline, so it is not possible to know.
If you are using one pipeline with multiple outputs, then this is expected.
The main issue with those AI generated answers as that they can just make up things, we have a couple of examples of this in the forum.
Depending on the case this can mislead the users and even cause problems for them.
I'm not sure what is the Elastic policy for AI generated answers on this forum, but for example for their contributor program, AI generated content is not allowed.
This doesn´t change the fact that at least this specific answer is wrong by telling the end user to use something that does not exist, that is what I'm saying.
There is no logstash-output-dead_letter_queue plugin, so you could never have a configuration like this:
If you start logstash with a configuration like that, you will got an error like this:
[2024-06-19T12:23:23,928][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (PluginLoadingError) Couldn't find any output plugin named 'dead_letter_queue'. Are you sure this is correct? Trying to load the dead_letter_queue output plugin resulted in this error: Unable to load the requested plugin named dead_letter_queue of type output. The plugin is not installed."
If you then try to install a plugin named logstash-output-dead_letter_queue you get this another error:
sudo ./logstash-plugin install logstash-output-dead_letter_queue
Using bundled JDK: /usr/share/logstash/jdk
Validating logstash-output-dead_letter_queue Plugin logstash-output-dead_letter_queue does not exist
ERROR: Installation aborted, verification failed for logstash-output-dead_letter_queue
So, as mentioned the tool you used generated an answer with some step that does not exist and would confuse the users.
If this is wrong about it, what else it is wrong about? That's why there is a need to validate the answers being generated.
You may use this tool to generate answers, but you should also try to validate these answers as they can provide wrong information.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.