Logstash works but put a lot of 403 errors in log

Hello

I have setup els and it seems to work beside many errors:
"Got response code '403' contacting Elasticsearch at URL 'https://localhost:9200/logstash'", : exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError

logstash_writter role has cluster privileges:
monitor
manage_index_template
manage_ilm

on index logstash:
write, create, create_index, manage_ilm, delte.

beats output is setup as follow:
output {
elasticsearch {
hosts => ["localhost:9200"]
ssl => true
user => "logstash_internal"
password => "*************"
cacert => '/etc/logstash/ca.pem'
}
}

Verified index setting:
"index.blocks.read_only_allow_delete": "false"
so it should be writable

I'm running out of ideas what kind of permission could be missing.

You should define the name of the index in your output, I suspect that it is trying to create a new index (not named logstash) that the user logstash_internal does not have the rights to do.