Metricbeat: failed to publish events -> security_exception

Hi,

While upgrading our environment (self-hosted) from 7.8 to 7.12 I'm trying to setup Metricbeat to monitor my Elasticsearch cluster as described in the deprecation log shown on startup and in the Stack Monitoring in Kibana.

After firing up Metricbeat it complains as follows:

{"level":"error","timestamp":"2021-04-28T11:58:53.806Z","logger":"publisher_pipeline_output","caller":"pipeline/output.go:180","message":"failed to publish events: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [remote_monitoring_user], this action is granted by the cluster privileges [manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [remote_monitoring_user], this action is granted by the cluster privileges [manage,all]"},"status":403}"}

I'm using the built-in user "remote_monitoring_user" with the built-in (unmodified) roles.
Therefore, I'm kind of puzzled why this message is coming up.
Shouldn't these permissions be already be set properly by Elastic?
Before I start messing around with roles I wanted to make sure that this is in fact needed (or a bug?) and needs to be adjusted manually.

Cheers

The roles/user as they came out of the box:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.