I have set up Logstash to send user inputs to AWS ElasticSearch, but getting the following issue:
[WARN ] 2020-07-22 09:27:50.704 [Ruby-0-Thread-4: :1] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"ENDPOINT_URL:443/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '403' contacting Elasticsearch at URL 'ENDPOINT_URL:443/'"}
Elasticsearch instance uses the following access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MYACCOUNT:user/logstash_publisher"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-west-2:MYACCOUNT:domain/DOMAINNAME/*"
}
]
}
and logstash_publisher has attached also a AmazonESFullAccess policy.
This is the logstash conf file:
input {
stdin {}
}
output {
stdout {}
amazon_es {
hosts => ["ENDPOINT"]
region => "ENDPOINT-REGION"
index => "stdin-input-logs"
aws_access_key_id => 'LOGPUBLISHER-ACCESS-KEY'
aws_secret_access_key => 'LOGPUBLISHER-SECRET-KEY'
}
}