Upgraded ES 5.6 > 6.1 Now _bulk not accepting header text/json

ericohtake · December 19, 2017, 2:13pm

Hello,
Today we updated ES to version 6.1 coming from 5.6 and all went good except for indexing Linux logs via a RSYSLOG plugin called omelasticsearch. I've setup an error output file that tells that the Content-Type header text/json is not supported. Is there any change thay might be causing this problem? I mean, propably the maintainer of this plugin will have to change its configuration somehow.

Below the response the application is getting from Elasticsearch after posting that data using the _bulk api. I had the syslog not being delivered after the upgrade, and only. All the rest are working fine.

{
        "request":      {
                "url":  "http://elasticsearch:9200/_bulk",
                "postdata":     "{\"index\":{\"_index\": \"rsyslog-2017-12-19\",\"_type\":\"syslog\"}}\n{\"timestamp\":\"2017-12-19T22:31:29+09:00\",\"message\":\" Starting Session 57613 of user root.\",\"host\":\"somehost\",\"severity\":\"info\",\"facility\":\"daemon\",\"syslogtag\":\"systemd:\"}\n"
        },
        "reply":        {
                "error":        "Content-Type header [text/json; charset=utf-8] is not supported",
                "status":       406
        }
}

Any help would be greatly appreciated.

jasontedor · December 19, 2017, 2:41pm

It should be Content-Type: application/json (the UTF-8 option is fine too).

ericohtake · December 19, 2017, 11:54pm

Thank you Jason. There was a specific change in place that made ES not accept what this plugin was sending to version 5.6?

jasontedor · December 20, 2017, 12:41am

Yes. See our blog post on strict content-type header parsing.

ericohtake · December 20, 2017, 11:57am

Thank you Jason. My bad, ,it seems that this change is up for some time already, and I've just noticed it upon upgrading to 6.1.
This post clarifies all. It seems there is a fix on 8.30 version of RSYSLOG, but it is still not in the RHEL repositories, we will update it manually.

jasontedor · December 20, 2017, 12:10pm

You're welcome!

ericohtake · December 20, 2017, 1:03pm

Well, for those interested, don't update RSYSLOG just yet. It seems there is a nasty bug in the omelasticsearch module that need to have the fix pushed.

system · January 17, 2018, 1:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.