Hi,
While upgrading our environment (self-hosted) from 7.8 to 7.12 I'm trying to setup Metricbeat to monitor my Elasticsearch cluster as described in the deprecation log shown on startup and in the Stack Monitoring in Kibana.
After firing up Metricbeat it complains as follows:
{"level":"error","timestamp":"2021-04-28T11:58:53.806Z","logger":"publisher_pipeline_output","caller":"pipeline/output.go:180","message":"failed to publish events: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [remote_monitoring_user], this action is granted by the cluster privileges [manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/xpack/monitoring/bulk] is unauthorized for user [remote_monitoring_user], this action is granted by the cluster privileges [manage,all]"},"status":403}"}
I'm using the built-in user "remote_monitoring_user" with the built-in (unmodified) roles.
Therefore, I'm kind of puzzled why this message is coming up.
Shouldn't these permissions be already be set properly by Elastic?
Before I start messing around with roles I wanted to make sure that this is in fact needed (or a bug?) and needs to be adjusted manually.
Cheers
The roles/user as they came out of the box: