code:403 when sending documents logstash to elasticsearch

[Francis Matera]

I am receiving the following error when try to ingest documents Logstash to Elasticsearch:

[2018-02-02T11:54:35,329][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({"type"=>"security_exception", "reason"=>"no permissions for [indices:data/write/index, indices:data/write/bulk[s]] and User [name=logstash, roles=[logstash], requestedTenant=null]"})

Logstash output:

output {

  elasticsearch {

    user => logstash

    password => logstash

    ssl => true

    ssl_certificate_verification => true

    cacert => "/etc/elasticsearch/root-ca.pem"

    hosts => ["https://localhost:9200"]

    index => "cdrs4"

  }

}

I used the demo installer. Would I need to change sg_roles.yml? I have not changed anything in this file. I am assuming I would have to add permission for indices:data/write/index, indices:data/write/bulk just not sure of the syntax and how to add it.

Thank you, Frank

[Francis Matera]

I am on version 6.0.1 of Logstash and Elasticsearch.

[Jochen Kressin]

There are several ways how to achieve that. The easiest is to add the required permissions for your index "cdrs4"  to the logstash user. If you use the config GUI, create a a new index "cdrs4" for the logstash role, and add the action groups CRUD and, if the index does not exists yet. the CREATE_INDEX.

If you use sgadmin, add the permissions to the logstash role in sg_roles.yml:

# For logstash and beats

sg_logstash:

  readonly: true

  cluster:

    - CLUSTER_MONITOR

    - CLUSTER_COMPOSITE_OPS

    - indices:admin/template/get

    - indices:admin/template/put

  indices:

    'logstash-*':

      '*':

        - CRUD

        - CREATE_INDEX

    '*beat*':

      '*':

        - CRUD

        - CREATE_INDEX

    'cdrs4':

      '*':

        - CRUD

        - CREATE_INDEX

 

After that, upload the changed config with sgadmin.