Action [indices:data/write/bulk] is unauthorized for user [logstash_system]\

(dencowboy) #1

I've created the ELK stack in docker.
I started ES. I've changed the password of the existing logstash_system user:

curl -u elastic -XPUT 'localhost:9200/_xpack/security/user/logstash_system/_password?pretty' -H 'Content-Type: application/json' -d'
  "password": "secretlog"

I've created my own logstash image with as .yml

xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: secretlog

pipeline/logstash.conf looks like:

input {
  gelf { }

output {
  elasticsearch {
    hosts => ["http://elasticsearch:9200"]
    user => "logstash_system"
    password => "secretlog"
  stdout { }

Now i've started a container with the gelf driver. I see the logs in my logstash but it's also throwing this error in between:

2017-08-02T12:49:51.239Z - - [02/Aug/2017:12:49:51 +0000] "GET / HTTP/1.1" 200 45
[2017-08-02T12:49:51,394][ERROR][logstash.outputs.elasticsearch] Got a bad response code from server, but this code is not considered retryable. Request will be dropped {:code=>403, :response_body=>"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk] is unauthorized for user [logstash_system]\"}],\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk] is unauthorized for user [logstash_system]\"},\"status\":403}"}
2017-08-02T12:49:51.362Z - - [02/Aug/2017:12:49:51 +0000] "GET / HTTP/1.1" 200 45

This does not work: I go inside my logstash container and try to curl indices:

$:~/logging-project$ docker exec -it c187363f5729 bash
bash-4.2$ curl -u logstash_system 'elasticsearch:9200/_cat/indices?v'
Enter host password for user 'logstash_system':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:monitor/stats] is unauthorized for user [logstash_system]"}],"type":"security_exception","reason":"action [indices:monitor/stats] is unauthorized for user [logstash_system]"},"status":403}bash-4.2$

(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.