Upgraded ES 5.6 > 6.1 Now _bulk not accepting header text/json

Hello,
Today we updated ES to version 6.1 coming from 5.6 and all went good except for indexing Linux logs via a RSYSLOG plugin called omelasticsearch. I've setup an error output file that tells that the Content-Type header text/json is not supported. Is there any change thay might be causing this problem? I mean, propably the maintainer of this plugin will have to change its configuration somehow.

Below the response the application is getting from Elasticsearch after posting that data using the _bulk api. I had the syslog not being delivered after the upgrade, and only. All the rest are working fine.

{
        "request":      {
                "url":  "http://elasticsearch:9200/_bulk",
                "postdata":     "{\"index\":{\"_index\": \"rsyslog-2017-12-19\",\"_type\":\"syslog\"}}\n{\"timestamp\":\"2017-12-19T22:31:29+09:00\",\"message\":\" Starting Session 57613 of user root.\",\"host\":\"somehost\",\"severity\":\"info\",\"facility\":\"daemon\",\"syslogtag\":\"systemd:\"}\n"
        },
        "reply":        {
                "error":        "Content-Type header [text/json; charset=utf-8] is not supported",
                "status":       406
        }
}

Any help would be greatly appreciated.

It should be Content-Type: application/json (the UTF-8 option is fine too).

Thank you Jason. There was a specific change in place that made ES not accept what this plugin was sending to version 5.6?

Yes. See our blog post on strict content-type header parsing.

Thank you Jason. My bad, ,it seems that this change is up for some time already, and I've just noticed it upon upgrading to 6.1.
This post clarifies all. It seems there is a fix on 8.30 version of RSYSLOG, but it is still not in the RHEL repositories, we will update it manually.

You're welcome!

Well, for those interested, don't update RSYSLOG just yet. It seems there is a nasty bug in the omelasticsearch module that need to have the fix pushed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.