Logstash AWS Elastic Search issue

ggiff · July 22, 2020, 9:49am

I have set up Logstash to send user inputs to AWS ElasticSearch, but getting the following issue:

[WARN ] 2020-07-22 09:27:50.704 [Ruby-0-Thread-4: :1] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"ENDPOINT_URL:443/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '403' contacting Elasticsearch at URL 'ENDPOINT_URL:443/'"}

Elasticsearch instance uses the following access policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::MYACCOUNT:user/logstash_publisher"
      },
      "Action": "es:*",
      "Resource": "arn:aws:es:eu-west-2:MYACCOUNT:domain/DOMAINNAME/*"
    }
  ]
}

and logstash_publisher has attached also a AmazonESFullAccess policy.

This is the logstash conf file:

input {
stdin {}
}
output {
stdout {}
amazon_es {
hosts => ["ENDPOINT"]
region => "ENDPOINT-REGION"
index => "stdin-input-logs"
aws_access_key_id => 'LOGPUBLISHER-ACCESS-KEY'
aws_secret_access_key => 'LOGPUBLISHER-SECRET-KEY'
}
}

warkolm · July 22, 2020, 11:17am

You will need to ask AWS about this sorry. It's a plugin they provide, along with an Elasticsearch service they provide.

system · August 19, 2020, 11:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.