opencti
opencti copied to clipboard
OpenCTI-Platform
Update to 5.12 is not working and 5.11 is not working anymore
I run opencti with opensearch 1.3 , when i try to update to 5.12.x ask to update the opensearch to version 2, i update, and the opencti not work.
{"category":"APP","errors":[{"attributes":{"genre":"TECHNICAL","http_status":500},"message":"Engine attachment processor configuration fail","name":"CONFIGURATION_ERROR","stack":"CONFIGURATION_ERROR: Engine attachment processor configuration fail\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at ConfigurationError (/opt/opencti/build/src/config/errors.js:64:53)\n at /opt/opencti/build/src/database/engine.js:832:20\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:820:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:229:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:127:3)\n at platformStart (/opt/opencti/build/src/boot.js:228:5)"},{"message":"{"error":"Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported","status":406}","name":"ResponseError","stack":"ResponseError: {"error":"Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported","status":406}\n at DLt.request (/opt/opencti/build/node_modules/@elastic/transport/src/Transport.ts:553:17)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at zBt.putPipeline (/opt/opencti/build/node_modules/@elastic/elasticsearch/src/api/api/ingest.ts:195:12)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:820:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:229:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:127:3)\n at platformStart (/opt/opencti/build/src/boot.js:228:5)"}],"level":"error","message":"Engine attachment processor configuration fail","timestamp":"2024-01-08T17:15:33.650Z","version":"5.12.15"}
Hello @MatheusSandre, This particular error "Engine attachment processor configuration fail" doesn't prevent opencti from starting, could you share more logs ?
@SouadHadjiat i add the logs in a csv file abve, and the version of my opensearch is 2.11
/i have also a error when i try to upgrade from 5.8 to 5.12 : {"category":"APP","level":"info","message":"[OPENCTI] Starting platform","timestamp":"2024-01-23T15:02:05.232Z","version":"5.12.21"} {"category":"APP","level":"info","message":"[OPENCTI] Checking dependencies statuses","timestamp":"2024-01-23T15:02:05.235Z","version":"5.12.21"} {"category":"APP","level":"info","message":"[SEARCH] Engine client not specified, trying to discover it with opensearch client","timestamp":"2024-01-23T15:02:05.236Z","version":"5.12.21"} {"category":"APP","level":"info","message":"[SEARCH] Engine detected to elk","timestamp":"2024-01-23T15:02:05.496Z","version":"5.12.21"} {"category":"APP","errors":[{"attributes":{"genre":"TECHNICAL","http_status":500},"message":"Engine attachment processor configuration fail","name":"CONFIGURATION_ERROR","stack":"CONFIGURATION_ERROR: Engine attachment processor configuration fail\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at ConfigurationError (/opt/opencti/build/src/config/errors.js:64:53)\n at /opt/opencti/build/src/database/engine.js:787:20\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:775:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:264:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:127:3)\n at platformStart (/opt/opencti/build/src/boot.js:234:5)"},{"message":"security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [cluster:admin/ingest/pipeline/put] is unauthorized for user [XXXXXXXXX]] with roles [XXXXXXXXX], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]","name":"ResponseError","stack":"ResponseError: security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [cluster:admin/ingest/pipeline/put] is unauthorized for user [XXXXXXXXX]] with roles [XXXXXXXXX]], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]\n at kJt.request (/opt/opencti/build/node_modules/@elastic/transport/src/Transport.ts:553:17)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at PZt.putPipeline (/opt/opencti/build/node_modules/@elastic/elasticsearch/src/api/api/ingest.ts:195:12)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:775:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:264:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:127:3)\n at platformStart (/opt/opencti/build/src/boot.js:234:5)"}],"level":"error","message":"Engine attachment processor configuration fail","timestamp":"2024-01-23T15:02:05.549Z","version":"5.12.21"} {"category":"APP","level":"info","message":"[SEARCH] elk (7.17.13) client selected / runtime sorting enabled / attachment processor disabled","timestamp":"2024-01-23T15:02:05.550Z","version":"5.12.21"} {"category":"APP","level":"info","message":"[CHECK] Search engine is alive","timestamp":"2024-01-23T15:02:05.551Z","version":"5.12.21"}
@SouadHadjiat i add the logs in a csv file abve, and the version of my opensearch is 2.11
@MatheusSandre from the logs you shared, there is an issue with elasticsearch / opensearch detection, I can see here that opencti detected an ELK engine (which is not right, you should have opensearch) :
"{""category"":""APP"",""level"":""info"",""message"":""[SEARCH] Engine client not specified, trying to discover it with opensearch client"",""timestamp"":""2024-01-16T18:10:17.484Z"",""version"":""5.12.15""}"
,"{""category"":""APP"",""level"":""info"",""message"":""[SEARCH] Engine detected to elk"",""timestamp"":""2024-01-16T18:10:17.548Z"",""version"":""5.12.15""}"
This error prevents opencti from starting because of the bad detection of the engine :
"{""category"":""APP"",""errors"":[{""attributes"":{""genre"":""TECHNICAL"",""http_status"":500},""message"":""The client noticed that the server is not Elasticsearch and we do not support this unknown product."",""name"":""UNKNOWN_ERROR"",""stack"":""UNKNOWN_ERROR: The client noticed that the server is not Elasticsearch and we do not support this unknown product.
I recommend that you specify your engine version in your configuration here and set it to opensearch :
elasticsearch:engine_selector (ELASTICSEARCH__ENGINE_SELECTOR env variable)
You can find it in the documentation : https://docs.opencti.io/latest/deployment/configuration/?h=engine_selector#elasticsearch
So just to clarify, which version of OpenCti are you using now? And you still get the same exact logs even after applying the engine version in your config, as specified above by @SouadHadjiat ?
I`m using opencti version 5.12.19, and opensearch 2.11, i got the same error with apply the engine version in config. The problem happen after i update the opensearch from 1.3 to 2.11. @nino-filigran
this log is when i run without the engine selector
opencti-1 | {"category":"APP","errors":[{"attributes":{"genre":"TECHNICAL","http_status":500},"message":"Engine attachment processor configuration fail","name":"CONFIGURATION_ERROR","stack":"CONFIGURATION_ERROR: Engine attachment processor configuration fail\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at ConfigurationError (/opt/opencti/build/src/config/errors.js:70:53)\n at /opt/opencti/build/src/database/engine.js:803:20\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:791:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:279:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:30:3)\n at platformStart (/opt/opencti/build/src/boot.js:13:5)"},{"message":"{"error":"Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported","status":406}","name":"ResponseError","stack":"ResponseError: {"error":"Content-Type header [application/vnd.elasticsearch+json; compatible-with=8] is not supported","status":406}\n at aYt.request (/opt/opencti/build/node_modules/@elastic/transport/src/Transport.ts:553:17)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at TXt.putPipeline (/opt/opencti/build/node_modules/@elastic/elasticsearch/src/api/api/ingest.ts:195:12)\n at elConfigureAttachmentProcessor (/opt/opencti/build/src/database/engine.js:791:5)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:279:32)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:30:3)\n at platformStart (/opt/opencti/build/src/boot.js:13:5)"}],"level":"error","message":"Engine attachment processor configuration fail","timestamp":"2024-02-23T17:28:02.491Z","version":"5.12.32"} opencti-1 | {"category":"APP","errors":[{"attributes":{"genre":"TECHNICAL","http_status":500},"message":"The client noticed that the server is not Elasticsearch and we do not support this unknown product.","name":"UNKNOWN_ERROR","stack":"UNKNOWN_ERROR: The client noticed that the server is not Elasticsearch and we do not support this unknown product.\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at UnknownError (/opt/opencti/build/src/config/errors.js:76:47)\n at Object._logWithError (/opt/opencti/build/src/config/conf.js:311:23)\n at Object.error (/opt/opencti/build/src/config/conf.js:321:48)\n at platformStart (/opt/opencti/build/src/boot.js:21:12)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)"},{"message":"The client noticed that the server is not Elasticsearch and we do not support this unknown product.","name":"ProductNotSupportedError","stack":"ProductNotSupportedError: The client noticed that the server is not Elasticsearch and we do not support this unknown product.\n at aYt.request (/opt/opencti/build/node_modules/@elastic/transport/src/Transport.ts:496:17)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at vXt.exists (/opt/opencti/build/node_modules/@elastic/elasticsearch/src/api/api/indices.ts:557:12)\n at elIndexExists (/opt/opencti/build/src/database/engine.js:475:22)\n at initializeSchema (/opt/opencti/build/src/database/engine.js:858:33)\n at platformInit (/opt/opencti/build/src/initialization.js:95:7)\n at platformStart (/opt/opencti/build/src/boot.js:17:5)"}],"level":"error","message":"Platform unmanaged direct error","timestamp":"2024-02-23T17:28:03.001Z","version":"5.12.32"}
when i run with the engine selector to opensearch i got this error
{"category":"APP","errors":[{"attributes":{"configured":"opensearch","detected":"elk","genre":"TECHNICAL","http_status":500},"message":"Invalid Search engine selector","name":"CONFIGURATION_ERROR","stack":"CONFIGURATION_ERROR: Invalid Search engine selector\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at ConfigurationError (/opt/opencti/build/src/config/errors.js:70:53)\n at searchEngineInit (/opt/opencti/build/src/database/engine.js:262:13)\n at processTicksAndRejections (node:internal/process/task_queues:95:5)\n at checkSystemDependencies (/opt/opencti/build/src/initialization.js:30:3)\n at platformStart (/opt/opencti/build/src/boot.js:13:5)"}],"level":"error","message":"Invalid Search engine selector","timestamp":"2024-02-23T17:30:36.622Z","version":"5.12.32"}
Hello,
Did you try to force the selector in the configuration?
ELASTICSEARCH__ENGINE_SELECTOR=opensearch
Kind regards, Samuel
@MatheusSandre Could you send the json response of your cluster endpoint ? https://opster.com/guides/opensearch/opensearch-operations/checking-opensearch-version/
Especially the version part
Here is the json response of the cluster endpoint on AWS :
{
"name": "5296f46cd78a8001977275ff250a50e6",
"cluster_name": "860943360285:intel-prod-opencti",
"cluster_uuid": "8yXNstQyTsGaVe_PrvHLSA",
"version": {
"number": "7.10.2",
"build_type": "tar",
"build_hash": "unknown",
"build_date": "2023-11-14T10:03:14.097557524Z",
"build_snapshot": false,
"lucene_version": "9.7.0",
"minimum_wire_compatibility_version": "7.10.0",
"minimum_index_compatibility_version": "7.0.0"
},
"tagline": "The OpenSearch Project: https://opensearch.org/"
Currently we don't handle well this response (distribution is missing and the version number is wrong, it should be 2.X), and we fallback to elasticsearch. Changing the status of this issue to bug to investigate.
Hello,
Opensearch 2.12 seems to reply better, you should try it.
{
"name" : "opensearch-cluster-master-0",
"cluster_name" : "opensearch-cluster",
"cluster_uuid" : "h-PVNIa1TsCYTg6CMHCViQ",
"version" : {
"distribution" : "opensearch",
"number" : "2.12.0",
"build_type" : "tar",
"build_hash" : "2c355ce1a427e4a528778d4054436b5c4b756221",
"build_date" : "2024-02-20T02:18:49.874618333Z",
"build_snapshot" : false,
"lucene_version" : "9.9.2",
"minimum_wire_compatibility_version" : "7.10.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
Hello,
Did you try to force the selector in the configuration?
ELASTICSEARCH__ENGINE_SELECTOR=opensearchKind regards, Samuel
Like mention by @SouadHadjiat , the version sent by AWS depends on opensearch configuration. If this configuration is not correct the version is not sent and opencti fallback to elasticsearch client. As explained by Samuel, the solution is to force the engine selector to opensearch instead of auto.
Closing this issue
