Hi,
I am a new in ELK. At now i trying to configure and use my first elk server.
I'm trying to configure security through basic realm and have a issue with logstash connection to elastic search. Following guide https://www.elastic.co/guide/en/elasticsearch/reference/current/security-getting-started.html i configured a logstash_writer role and add logstash_internal user
logstash_writer role:
{
"logstash_writer" : {
"cluster" : [
"monitor",
"manage_index_templates"
],
"indices" : [
{
"names" : [
"*"
],
"privileges" : [
"create",
"delete",
"create_index",
"write"
],
"field_security" : {
"grant" : [
"*"
]
},
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
logstash_internal user:
{
"logstash_internal" : {
"username" : "logstash_internal",
"roles" : [
"logstash_writer"
],
"full_name" : "",
"email" : "",
"metadata" : { },
"enabled" : true
}
}
On logstash starting he failed with HTTP 403 error from elasticsearch:
LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError: Got response code '403' contacting Elasticsearch at URL 'http://localhost:9200/logstash'
Output config:
output {
elasticsearch {
hosts => "localhost:9200"
# manage_template => false
# index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "logstash_internal"
password => "Password"
}
# stdout { codec => rubydebug }
}
curl -u logstash_internal:Password http://localhost:9200/ works fine
curl -u logstash_internal:Password http://localhost:9200/logstash finihing with 403 error code
< {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/get] is unauthorized for user [logstash_internal]"}],"type":"security_exception","reason":"action [indices:admin/get] is unauthorized for user [logstash_internal]"},"status":403} />
please help me understand where I made a mistake in the configuration and what needs to be changed