Logstash -> Elastic 403 permission issue

Hi,
I am a new in ELK. At now i trying to configure and use my first elk server.
I'm trying to configure security through basic realm and have a issue with logstash connection to elastic search. Following guide https://www.elastic.co/guide/en/elasticsearch/reference/current/security-getting-started.html i configured a logstash_writer role and add logstash_internal user
logstash_writer role:

{
 "logstash_writer" : {
    "cluster" : [
      "monitor",
     "manage_index_templates"
    ],
    "indices" : [
      {
        "names" : [
         "*"
        ],
       "privileges" : [
          "create",
          "delete",
          "create_index",
          "write"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

logstash_internal user:

{
  "logstash_internal" : {
    "username" : "logstash_internal",
    "roles" : [
      "logstash_writer"
    ],
    "full_name" : "",
    "email" : "",
    "metadata" : { },
    "enabled" : true
  }
}

On logstash starting he failed with HTTP 403 error from elasticsearch:
LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError: Got response code '403' contacting Elasticsearch at URL 'http://localhost:9200/logstash'
Output config:

output {
  elasticsearch {
    hosts => "localhost:9200"
#    manage_template => false
#    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "logstash_internal"
    password => "Password"
  }
#    stdout { codec => rubydebug }
}

curl -u logstash_internal:Password http://localhost:9200/ works fine
curl -u logstash_internal:Password http://localhost:9200/logstash finihing with 403 error code
< {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/get] is unauthorized for user [logstash_internal]"}],"type":"security_exception","reason":"action [indices:admin/get] is unauthorized for user [logstash_internal]"},"status":403} />
please help me understand where I made a mistake in the configuration and what needs to be changed

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.