Hello everybody.
I had this issue before using Metricbeat. I created an user called metricbeat_internal to write and read all the stuff related to that Beat and to make it visible on Kibana. So, I assigned two roles to it (a reader and a writer). They have the following privileges:
writer_role:
- monitor and manage_index_templates (cluster)
- write, delete, create_index, create (index)
reader_role: - read and view_index_metadata (index)
But, after creating the user and restarting the stack, I received the following error on Metricbeat logs:
2017-02-21T14:22:38-06:00 WARN Can not index event (status=403): {"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [metricbeat_internal]"}
I fixed it by assigning superuser roles for a while and it solved the problem, even though it isn't a proper solution at all.
Now, I'm trying the Netflow codec on Logstash, where I have a similar user with the same roles as described before, and got the same issue:
[2017-03-10T09:15:33,085][WARN ][logstash.outputs.elasticsearch] Failed action. {:status=>403, :action=>["index", {:_id=>nil, :_index=>"netflow-2017.03.10", :_type=>"netflow", :_routing=>nil}, 2017-03-10T15:15:06.000Z 130.164.225.20 %{message}], :response=>{"index"=>{"_index"=>"netflow-2017.03.10", "_type"=>"netflow", "_id"=>nil, "status"=>403, "error"=>{"type"=>"security_exception", "reason"=>"action [indices:admin/create] is unauthorized for user [logstash_internal]"}}}}
How can this be solved?
Thanks