Hello ElasticSearch community,
I'm attempting to to use the Logstash Netflow Module, as documented here:
https://www.elastic.co/guide/en/logstash/current/netflow-module.html
I have a vanilla CentOS 7 installation with a default Logstash installation (installed with "yum install logstash").
However, upon entering the "logstash --modules netflow --setup -M netflow.var.input.udp.port=2055" command, I get this error:
[2018-11-12T23:15:20,611][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[2018-11-12T23:15:21,113][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<LogStash::ConfigLoadingError: Failed to parse the module configuration: [[400] {"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."}],"type":"mapper_parsing_exception","reason":"Failed to parse mapping [_default_]: [include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field.","caused_by":{"type":"mapper_parsing_exception","reason":"[include_in_all] is not allowed for indices created on or after version 6.0.0 as [_all] is deprecated. As a replacement, you can use an [copy_to] on mapping fields to create your own catch all field."}},"status":400}]>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-5.0.4/lib/elasticsearch/transport/transport/base.rb:202:in `__raise_transport_error'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-5.0.4/lib/elasticsearch/transport/transport/base.rb:319:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-5.0.4/lib/elasticsearch/transport/transport/http/manticore.rb:67:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-5.0.4/lib/elasticsearch/transport/client.rb:131:in `perform_request'", "/usr/share/logstash/logstash-core/lib/logstash/elasticsearch_client.rb:77:in `put'", "/usr/share/logstash/logstash-core/lib/logstash/elasticsearch_client.rb:128:in `put'", "/usr/share/logstash/logstash-core/lib/logstash/modules/elasticsearch_importer.rb:29:in `put_overwrite'", "/usr/share/logstash/logstash-core/lib/logstash/modules/elasticsearch_importer.rb:19:in `put'", "/usr/share/logstash/logstash-core/lib/logstash/modules/scaffold.rb:30:in `import'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/modules/scaffold.rb:29:in `import'", "/usr/share/logstash/logstash-core/lib/logstash/config/modules_common.rb:78:in `pipeline_configs'", "org/jruby/RubyArray.java:1613:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/config/modules_common.rb:56:in `pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:276:in `execute'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:67:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:204:in `run'", "/usr/share/logstash/vendor/bundle/jruby/1.9/gems/clamp-0.6.5/lib/clamp/command.rb:132:in `run'", "/usr/share/logstash/lib/bootstrap/environment.rb:71:in `(root)'"]}
Is this a regression in the 6+ version of ElasticSearch? I would expect that a vanilla version of the module would work out of the box. Or am I doing something wrong?