Logstash single server

Trent-alex · March 6, 2025, 4:24am

Hello I have the following configuration file reporting the below error. This is all running on a single machine.

filter {
  csv {
    separator => ","
    columns => ["Day of Date Eastern", "Device Id", "Location", "Time Eastern", "Date Eastern", "Hour Eastern", "count", "Address", "Geohash", "Ip Address", "Timestamp UTC", "count_locations", "count_signals", "Horizontal Accuracy", "Latitude", "Longitude", "Timestamp"]
  }

  date {
    match => ["Timestamp UTC", "MM/dd/yyyy hh:mm:ss a"]
    target => "@timestamp"
    timezone => "UTC"
  }

  mutate {
    convert => {
      "Hour Eastern" => "integer"
      "count_locations" => "integer"
      "count_signals" => "integer"
      "Horizontal Accuracy" => "float"
      "Latitude" => "float"
      "Longitude" => "float"
      "Timestamp" => "float"
    }
  }

  geoip {
    source => "Ip Address"
    target => "geoip"
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
  }
}

output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    index => "substation_sabotage_%{+YYYY.MM.dd}"
    ssl_certificate_authorities=>['/home/trex/Downloads/logstash-8.17.1/config/certs/http_ca.crt']
    user=> "logstash_internal"
    password => "1qaz2wsx"
  }
  stdout { codec => rubydebug }
}type or paste code here

It is receiving the following error

t[WARN ][logstash.outputs.elasticsearch][main] Health check failed {:code=>403, :url=>https://localhost:9200/, :message=>"Got response code '403' contacting Elasticsearch at URL 'https://localhost:9200/'"}
[2025-03-05T22:48:05,343][WARN ][logstash.outputs.elasticsearch][main] Elasticsearch main endpoint returns 403 {:message=>"Got response code '403' contacting Elasticsearch at URL 'https://localhost:9200/'", :body=>"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"action [cluster:monitor/main] is unauthorized for user [logstash_internal] with effective roles [] (assigned roles [logstash_writer] were not found), this action is granted by the cluster privileges [monitor,manage,all]\"}],\"type\":\"security_exception\",\"reason\":\"action [cluster:monitor/main] is unauthorized for user [logstash_internal] with effective roles [] (assigned roles [logstash_writer] were not found), this action is granted by the cluster privileges [monitor,manage,all]\"},\"status\":403}"}
[2025-03-05T22:48:05,344][ERROR][logstash.javapipeline    ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Could not read Elasticsearch. Please check the privileges>, :backtrace=>["/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in `block in healthcheck!'", "org/jruby/RubyHash.java:1615:in `each'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:267:in `healthcheck!'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:401:in `update_urls'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:109:in `update_initial_urls'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:103:in `start'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client.rb:373:in `build_pool'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client.rb:64:in `initialize'", "org/jruby/RubyClass.java:922:in `new'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:106:in `create_http_client'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:102:in `build'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/plugin_mixins/elasticsearch/common.rb:42:in `build_client'", "/home/trex/Downloads/logstash-8.17.1/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.10-java/lib/logstash/outputs/elasticsearch.rb:301:in `register'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:69:in `register'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:245:in `block in register_plugins'", "org/jruby/RubyArray.java:1981:in `each'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:244:in `register_plugins'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:622:in `maybe_setup_out_plugins'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:257:in `start_workers'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:198:in `run'", "/home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:150:in `block in start'"], "pipeline.sources"=>["/home/trex/Downloads/logstash-8.17.1/config/testPipe.conf"], :thread=>"#<Thread:0x3dd96a0a /home/trex/Downloads/logstash-8.17.1/logstash-core/lib/logstash/java_pipeline.rb:138 run>"}

Again elasticsearch, kibana and logstash are all installed on the same linux machine.
Thank you

Rios · March 6, 2025, 5:01am

"action [cluster:monitor/main] is unauthorized for user [logstash_internal] with effective roles (assigned roles [logstash_writer] were not found), this action is granted by the cluster privileges [monitor,manage,all]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [logstash_internal] with effective roles (assigned roles [logstash_writer] were not found), this action is granted by the cluster privileges [monitor,manage,all]"},"status":403}"}

No matter if are LS and ES on the same machine, you have to grant permissions the logstash_internal user to the substation_sabotage_* index. The documentation is here.

Topic		Replies	Views
Logstash.outputs.elasticsearch : Failed to install template Logstash	3	14327	November 20, 2018
Logstash config error reason=>"Expected one of #, \", ', } Logstash	8	15723	July 6, 2017
Problem with @timestamp Elasticsearch	7	362	July 16, 2020
Logstash - problems with date Logstash	13	1633	May 23, 2018
Date_time_parse_exception Warning message in Logstash while fetching data from CSV file Logstash	6	419	December 8, 2020

Logstash single server

Related topics