Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-6856

Elasticsearch reconciliation fails when audit logs are not captured

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • Logging 5.8.18
    • Log Storage
    • 0
    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Bug Fix
    • Log Storage - Sprint 270
    • Important

      Description of problem:

      When setting up Logging stack with OpenShift Elatsicsearh and only capturing application and infra logs, then elasticsearch-operator pod stuck in reconciliation with below error:

       

      {"_ts":"2025-03-11T12:18:28.420519972Z","_level":"0","_component":"elasticsearch-operator_controllers_Elasticsearch","_message":"Failed to initialize first index alias for mapping","_error":{"cluster":"elasticsearch","msg":"failed to update aliases","namespace":"openshift-logging","response_body":{"error":{"index":"audit-000001","index_uuid":"_na_","reason":"no such index","resource.id":"audit-000001","resource.type":"index_or_alias","root_cause":[{"index":"audit-000001","index_uuid":"_na_","reason":"no such index","resource.id":"audit-000001","resource.type":"index_or_alias","type":"index_not_found_exception"}],"type":"index_not_found_exception"},"status":404},"response_error":null,"response_status":404},"cluster":"elasticsearch","handler":"indexmanagement","mapping":"audit","name":"audit","namespace":"openshift-logging"}

      Because of this if any resource is deleted say elasticsearch-im-* cronjob, then it is not getting recreated until the index audit-000001 is created manually in Elasticsearch Cluster.

       

      Version-Release number of selected component (if applicable):

      Red Hat OpenShift Logging 5.8.18

      OpenShift Elasticsearch 5.8.18

      How reproducible:

      100%

      Steps to Reproduce:

      1. Install RHOL and OpenShift Elasticsearch operators.
      2. Create ClusterLogging CR.
      3. Wait for the collector, elasticsearch-cdm pods to initialize.
      4. Check the logs of elasticsearch-operator pod available in openshift-operators-redhat project.
      5. Try deleting any of the cronjob elasticsearch-im-* from openshift-logging and it never gets recreated because elasticsearch is looking for audit-000001 index.

      Actual results:

      Resources managed by Elasticsearch are not getting recreated because elasticsearch-operator is stuck in reconciliation.

      Expected results:

      Resources managed by Elasticsearch should get recreated by the operator.

      Additional info:

      Workaround is to create the index manually using below command:

      $ oc -n openshift-logging exec -c elasticsearch $elasticsearch-cdm-pod -- es_util --query=audit-000001 -XPUT

              rojacob@redhat.com Robert Jacob
              rhn-support-dgautam Dhruv Gautam
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: