Logstash error 403 with a remote elasticsearch instance

Elastic Stack Logstash
1

Hi,

I have a logstash config which works fine with my local Elasticsearch instance but when i try to push to a remote instance config gives error at startup as follows:

Using default mapping template
[2021-10-07T13:17:25,981][INFO ][logstash.outputs.Elasticsearch][main] Attempting to install template {:manage_template=>{"index_patterns"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s", "number_of_shards"=>1}, "mappings"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}
[2021-10-07T13:17:26,028][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been created for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
[2021-10-07T13:17:26,028][INFO ][logstash.javapipeline ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>12, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1500, "pipeline.sources"=>["C:/logstash-7.6.2/config/logstash-grok.conf"], :thread=>"#<Thread:0x59254081 run>"}
[2021-10-07T13:17:26,075][ERROR][logstash.outputs.Elasticsearch][main] Failed to install template. {:message=>"Got response code '403' contacting Elasticsearch at URL 'https://mysite.com:443/_template/logstash'", :class=>"LogStash::Outputs::Elasticsearch::HttpClient::Pool::BadResponseCodeError", :backtrace=>["C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-Elasticsearch-10.3.3-java/lib/logstash/outputs/Elasticsearch/http_client/manticore_adapter.rb:80:in perform_request'", "C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.3.3-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:332:in perform_request_to_url'", "C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-Elasticsearch-10.3.3-java/lib/logstash/outputs/Elasticsearch/http_client/pool.rb:319:in block in perform_request'", "C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.3.3-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:414:in with_connection'", "C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-Elasticsearch-10.3.3-java/lib/logstash/outputs/Elasticsearch/http_client/pool.rb:318:in perform_request'", "C:/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.3.3-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:326:in block in Pool'",

I have default template settings.

My input looks like this

input { 
	beats {
		port => 5044
	}
}


filter {
### I have tried with the simplest filter too
}


output {
   elasticsearch {
         hosts => ["https://mysite.com:443"]
         user => "logstash_user"
         password => "myp@ssword"
         index => "offline-%{[name]}-%{[logtype]}-%{+YYYY.MM.dd}"
		 document_id => "%{[@metadata][fingerprint]}"
      }
}

Please share what is wrong here?

Thanks

2

Usually means access to a resource is being denied.... is the user allowed to create, edit the template if it exists ?

3

Thanks @zx8086, for your response, Can you please tell how can i find it out?

4

Does the specified User & Password have permission to write to the index specified.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.