Logstash writer permissions

Hi,

Looking for advice. I have created a new logstash writer user and created the appropriate role with permissions as per: https://www.elastic.co/guide/en/logstash/7.3/ls-security.html

for a managed ILM index. The only way I can get the index to be created and input data is by making the user account a superuser. The minute I remove that permission and put it back to the advised setting I get an error:
[2021-01-27T16:38:51,337][INFO ][logstash.outputs.elasticsearch][main][538023b5e2c66b80a5fc98b4d531b647467d641f8a546da87b0ffbdf8cc8286a] retrying failed action with response code: 403 ({"type"=>"security_exception", "reason"=>"action [indices:data/write/bulk[s]] is unauthorized for user [syslog_writer]"})

I have even tried putting 'all' cluster privileges' and 'all' indices privileges, but again this made no difference. I have checked the security has been applied to the role correctly using

GET /_security/role/slg_ls_writer

{
  "slg_ls_writer" : {
"cluster" : [
  "manage_index_templates",
  "monitor",
  "manage_ilm",
  "read_ilm",
  "manage",
  "all"
],
"indices" : [
  {
    "names" : [
      "slg_ls-*"
    ],
    "privileges" : [
      "write",
      "delete",
      "create_index",
      "create",
      "manage",
      "manage_ilm",
      "read",
      "all"
    ],
    "allow_restricted_indices" : false
  }
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
  "enabled" : true
}
  }
}

any suggestions would be great.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.