I am unable to index metric data using Metricbeat 7.5.0 with ESS 7.5.0 using the role and user described at https://www.elastic.co/guide/en/beats/metricbeat/7.5/feature-roles.html#privileges-to-publish-events
I see this warning in the output of ./metricbeat -e:
2019-12-10T20:17:01.825-0500 WARN elasticsearch/client.go:511 Cannot index event
publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbf742ec32eb73a80,
ext:30061604355, loc:(*time.Location)(0x9c51a60)}, Meta:common.MapStr(nil),
Fields:common.MapStr{"agent":common.MapStr{"ephemeral_id":"fd8174fa-6126-40ec-b703-
7c8a8d07d023", "hostname":"Dans-MacBook-Pro.local", "id":"7bfb73c3-781b-4e56-a73c-
aab361fa3490", "type":"metricbeat", "version":"7.5.0"}, "ecs":common.MapStr{"version":"1.1.0"},
"event":common.MapStr{"dataset":"system.load", "duration":15637, "module":"system"},
"host":common.MapStr{"architecture":"x86_64", "hostname":"Dans-MacBook-Pro.local",
"id":"C04BF4A3-78E4-527B-B5C2-98DB3437A426", "name":"Dans-MacBook-Pro.local",
"os":common.MapStr{"build":"18G1012", "family":"darwin", "kernel":"18.7.0", "name":"Mac OS X",
"platform":"darwin", "version":"10.14.6"}}, "metricset":common.MapStr{"name":"load",
"period":10000}, "service":common.MapStr{"type":"system"},
"system":common.MapStr{"load":common.MapStr{"1":1.7905, "15":1.793, "5":1.8657, "cores":8,
"norm":common.MapStr{"1":0.2238, "15":0.2241, "5":0.2332}}}}, Private:interface {}(nil),
TimeSeries:true}, Flags:0x0} (status=403): {"type":"security_exception","reason":"action
[indices:admin/create] is unauthorized for user [beat_writer]"}
Because the warning specifies that [indices:admin/create] is unauthorized for user [beat_writer]", I added the index priv create_index and then I was able to successfully index the data. The docs specifically say that this priv is not needed when setup.ilm.check_exists: false is used in metricbeat.yml, and I have that set.
I am running ES and Kibana in ESS, and running metricbeat on Mac OSX.
Here is my role:
{
"beat_writer" : {
"cluster" : [
"monitor",
"cluster:admin/ingest/pipeline/get"
],
"indices" : [
{
"names" : [
"filebeat-*",
"metricbeat-*"
],
"privileges" : [
"create_doc"
],
"field_security" : {
"grant" : [
"*"
],
"except" : [ ]
},
"allow_restricted_indices" : false
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
and here is my user:
{
"beat_writer" : {
"username" : "beat_writer",
"roles" : [
"beat_writer"
],
"full_name" : "",
"email" : "",
"metadata" : { },
"enabled" : true
}
}
One more thing: I did not need create_index for Filebeat 7.5.0
cc: @dedemorton
I am unable to index metric data using Metricbeat 7.5.0 with ESS 7.5.0 using the role and user described at https://www.elastic.co/guide/en/beats/metricbeat/7.5/feature-roles.html#privileges-to-publish-events
I see this warning in the output of ./metricbeat -e:
Because the warning specifies that
[indices:admin/create] is unauthorized for user [beat_writer]", I added the index privcreate_indexand then I was able to successfully index the data. The docs specifically say that this priv is not needed whensetup.ilm.check_exists: falseis used in metricbeat.yml, and I have that set.I am running ES and Kibana in ESS, and running metricbeat on Mac OSX.
Here is my role:
and here is my user:
One more thing: I did not need
create_indexfor Filebeat 7.5.0cc: @dedemorton