Hi,
Looking for advice. I have created a new logstash writer user and created the appropriate role with permissions as per: https://www.elastic.co/guide/en/logstash/7.3/ls-security.html
for a managed ILM index. The only way I can get the index to be created and input data is by making the user account a superuser. The minute I remove that permission and put it back to the advised setting I get an error:
[2021-01-27T16:38:51,337][INFO ][logstash.outputs.elasticsearch][main][538023b5e2c66b80a5fc98b4d531b647467d641f8a546da87b0ffbdf8cc8286a] retrying failed action with response code: 403 ({"type"=>"security_exception", "reason"=>"action [indices:data/write/bulk[s]] is unauthorized for user [syslog_writer]"})
I have even tried putting 'all' cluster privileges' and 'all' indices privileges, but again this made no difference. I have checked the security has been applied to the role correctly using
GET /_security/role/slg_ls_writer
{
"slg_ls_writer" : {
"cluster" : [
"manage_index_templates",
"monitor",
"manage_ilm",
"read_ilm",
"manage",
"all"
],
"indices" : [
{
"names" : [
"slg_ls-*"
],
"privileges" : [
"write",
"delete",
"create_index",
"create",
"manage",
"manage_ilm",
"read",
"all"
],
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
any suggestions would be great.