I found the issue:
Login, etc. for the user is successful, thats why we get 403 instead of 401. But the default user has no permission to access cluster:admin/xpack/monitoring/bulk.
Since I cannot change anything in the reserved role remote_monitoring_agent or the reserved user monitoring user I did cloned and added the needed cluster privilege to the role via dev tools:
PUT /_security/role/remote_monitoring_agent1
{
"cluster" : [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:monitor/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete",
"cluster:admin/xpack/monitoring/bulk"
],
"indices" : [
{
"names" : [
".monitoring-*"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
"metricbeat-*"
],
"privileges" : [
"index",
"create_index"
],
"allow_restricted_indices" : false
}
]
}
PUT /_security/user/remote_monitoring_user1
{
"username" : "remote_monitoring_user1",
"roles" : [
"remote_monitoring_collector",
"remote_monitoring_agent1"
],
"full_name" : null,
"email" : null,
"password": "monitoring1",
"enabled" : true
}
=> voila: logstash can use this function to add its metrics via bulk api.
But I don't understand why I cannot use the default user for this. When elasticsearch and logstash are using the same version, everything should fit with the default users. Otherwise I don't know why they are shipped.
Thanks a lot for your help.