Giters

Icinga / icingaweb2-module-elasticsearch

This module will not be updated by Icinga anymore. Please don't attempt to use it.

Home Page:https://icinga.com/docs/elasticsearch/latest

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Graylog indexes?

mzac opened this issue · comments

commented

Expected Behavior

Trying to get this module to work with Graylog indexes without any success... Could it be because Graylog creates indexes differently with @timestamp or timestamp? When I try the same query manually with Insomnia it works.

Current Behavior

I am getting an error 400

Possible Solution

None

Steps to Reproduce (for bugs)

My config files:

instances.ini

[esearch1.lab.local]
uri = "http://esearch1.lab.local:9200"
user = ""
password = ""
ca = ""
client_certificate = ""
client_private_key = ""

eventtypes.ini

[graylog]
instance = "esearch1.lab.local"
index = "graylog_*"
filter = "source={host.name}"
fields = "message"

Context

Example of what I see in a packet capture:

GET /graylog_*/_search HTTP/1.1
User-Agent: ipl/1.0.0 curl/7.29.0 PHP/7.1.8
Transfer-Encoding: chunked
Content-Type: application/json
Host: esearch1.lab.local:9200

{
	"_source": [
		"@timestamp",
		"message"
	],
	"query": {
		"match": {
			"source": "vpn.lab.local"
		}
	},
	"from": 0,
	"size": 25,
	"sort": {
		"@timestamp": "desc"
	}
}

HTTP/1.1 400 Bad Request
content-type: application/json; charset=UTF-8
content-length: 941

{
	"error": {
		"root_cause": [
			{
				"type": "query_shard_exception",
				"reason": "No mapping found for [@timestamp] in order to sort on",
				"index_uuid": "qLEVdPI1Sru5_ijeWsZRHQ",
				"index": "graylog_273"
			},
			{
				"type": "query_shard_exception",
				"reason": "No mapping found for [@timestamp] in order to sort on",
				"index_uuid": "gvJp7c2qR9ma9ZT3ymr2MA",
				"index": "graylog_274"
			}
		],
		"type": "search_phase_execution_exception",
		"reason": "all shards failed",
		"phase": "query",
		"grouped": true,
		"failed_shards": [
			{
				"shard": 0,
				"index": "graylog_273",
				"node": "0h89v-qXTauJznrwfT3N9g",
				"reason": {
					"type": "query_shard_exception",
					"reason": "No mapping found for [@timestamp] in order to sort on",
					"index_uuid": "qLEVdPI1Sru5_ijeWsZRHQ",
					"index": "graylog_273"
				}
			},
			{
				"shard": 0,
				"index": "graylog_274",
				"node": "0h89v-qXTauJznrwfT3N9g",
				"reason": {
					"type": "query_shard_exception",
					"reason": "No mapping found for [@timestamp] in order to sort on",
					"index_uuid": "gvJp7c2qR9ma9ZT3ymr2MA",
					"index": "graylog_274"
				}
			}
		]
	},
	"status": 400
}

Your Environment

  • Module version (System - About): 1.0.0
  • Icinga Web 2 version and modules (System - About): 2.6.1
  • Icinga 2 version (icinga2 --version): 2.9.1
  • Elasticsearch version (curl http://localhost:9200): 5.6.11
  • Operating System and version: Redhat 7
  • Webserver, PHP versions: Apache 2.4.6, PHP 7.1.8 (fpm)