Got response code '403' contacting Elasticsearch at URL 'http://localhost:9200/

Hi,

My pipeline not working with ouput elasticsearch, I created user and role like this:

root@logserver:/home/g0004830# curl -k -u admin:my_password -XGET "http://localhost:9200/_security/user/syslog?pretty" 
{
  "syslog" : {
    "username" : "syslog",
    "roles" : [
      "syslog"
    ],
    "full_name" : null,
    "email" : null,
    "metadata" : { },
    "enabled" : true
  }
}
root@logserver:/home/g0004830# curl -k -u admin:my_password -XGET "http://localhost:9200/_security/role/syslog?pretty" 
{
  "syslog" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "syslog-*"
        ],
        "privileges" : [
          "read",
          "write"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

And my output config:

output {
    stdout {
        codec => rubydebug        
    }

	elasticsearch {
        user => "syslog"
        password => "my_password" 
        hosts => [ "http://localhost:9200/" ]
		index => "syslog-%{+YYYY-MM-dd}"        
	}
	
}

When I run logstash I receive this error:

[WARN ] 2022-06-23 23:48:20.422 [Ruby-0-Thread-9: :1] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://syslog:xxxxxx@localhost:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :message=>"Got response code '403' contacting Elasticsearch at URL 'http://localhost:9200/'"}

How can I solve this?

Can you confirm a curl directly to Elasticsearch with your syslog users works?

Hi,

with curl that's work.

g0004830@logserver:~/logstatsh$ curl -u syslog:mypassword -XPOST "http://localhost:9200/syslog-2022-06-27/_doc" -H "Content-Type: application/json" -d @ingest.json
{"_index":"syslog-2022-06-27","_id":"s9xSo4EBMMASQROr_aWn","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}g0004830@logserver:~/logstatsh$ 
g0004830@logserver:~/logstatsh$ 
g0004830@logserver:~/logstatsh$ cat ingest.json 
      {
          "type" : "HL4",
          "vendor" : "Nokia",
          "tags" : [ ],
          "message" : "TMNX: 861880 Base PPPOE-WARNING-tmnxPppoeSessionFailure-2001 [PPPoE session failure]:  PPPoE session failure on SAP lag-1:102.* in service 410 - [f4:54:20:c3:0f:31,1,cliente@cliente] Authentication failed\n",
          "@version" : "1",
          "hostname" : "i-br-mg-ssp-p14-hl4-01",
          "model" : "SR7750",
          "@timestamp" : "2022-06-27T19:29:11.680371Z",
          "ip" : "10.113.150.4"
        }

g0004830@logserver:~/logstatsh$

I changed logstash pipeline to using admin user and works..