ELK 6.3.2 no permissions for [indices:admin/create]

Hello everyone,
So i’m trying to add multiple output with different names into logstash

output {
	if [type] == "JSON"{
		elasticsearch {
			hosts => ["localhost:9200"]
        		index => "JSON-%{+YYYY.MM.dd}"
			document_type => "JSON"
       			#+++ sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
			user => "logstash"
			#--- sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
       	 		#+++ sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
			password => "logstash"
			#--- sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
		}
	}
	if [type] == "SYS"{
		elasticsearch {
			hosts => ["localhost:9200"]
        		index => "SYS-%{+YYYY.MM.dd}"
			document_type => "SYS"
       			#+++ sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
			user => "logstash"
			#--- sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
       			#+++ sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
			password => "logstash"
			#--- sa Added by scr-sop-af-config-elksandbox. Do not remove this line.
		}
	}

}

But I’ve this error when I restart all services:

Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,737][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,737][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,744][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,744][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,744][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,744][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,745][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,745][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,745][INFO ][logstash.outputs.elasticsearch] retrying failed action with response code: 403 ({“type”=>“security_exception”, “reason”=>“no permissions for [indices:admin/create] and User [name=logstash, roles=[logstash], requestedTenant=null]”})
Jun 03 07:09:39 qvisbcld0047 logstash[7167]: [2019-06-03T07:09:39,745][INFO ][logstash.outputs.elasticsearch] Retrying individual bulk actions that failed or were rejected by the previous bulk request. {:count=>30}

I’ve added this into the “sg_roles.yml” but it didn’t work :
indices:

’:
'
’:
- ALL

How can I fix this please ?

sg_config.yml (9.6 KB)
sg_roles.yml (6.2 KB) elasticsearch.yml.example (9.3 KB)

The actual sg_logstash role should give the logstash user the permission to create any index, so it looks good.

Have you uploaded the changed config via sgadmin to your cluster?

If so, can you please activate debug logging:

Then start logstash again, and after the error occurs, post the content of the elasticsearch log here?

Thanks!

1 Like

How can I upload the changed config via sgadmin to my cluster?

You use the sgadmin command line tool for this. If you have used the demo installation script to install Search Guard, you find a preconfigured sgadmin call in the search-guard-6/tools directory called sgadmin_demo.sh.

Otherwise, you can find the documentation here:

And some examples here: