As the title mentions, auditbeat on the default logging level (INFO based on official documentation) logs an excessive amount of data on syslog when failing to create an index template (ex. Due to insufficient access privileges).
After logging the initial exception error, it proceeds to also log the full index template as part of the exception error log, which usually amounts to several thousand lines of JSON. The log output is repeated continuously while the error is present, resulting in quickly filling up massive amounts of disk space.
Connection marked as failed because the onConnect callback failed: error loading template: could not load template. Elasticsearch returned: couldn't load template: 403 Forbidden: {"error":{"roo
t_cause":[{"type":"security_exception","reason":"action [indices:admin/template/put] is unauthorized for user [beats_writer], this action is granted by the cluster privileges [manage_index_templates,manag
e,all]"}],"type":"security_exception","reason":"action [indices:admin/template/put] is unauthorized for user [beats_writer], this action is granted by the cluster privileges [manage_index_templates,manage
,all]"},"status":403}. Response body: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/template/put] is unauthorized for user [beats_writer], this action is granted by
the cluster privileges [manage_index_templates,manage,all]"}],"type":"security_exception","reason":"action [indices:admin/template/put] is unauthorized for user [beats_writer], this action is granted by t
he cluster privileges [manage_index_templates,manage,all]"},"status":403}. Template is: {
Apr 30 00:00:04 siem packetbeat[18558]: "index_patterns": [
Apr 30 00:00:04 siem packetbeat[18558]: "packetbeat-7.12.1-*"
Apr 30 00:00:04 siem packetbeat[18558]: ],
Apr 30 00:00:04 siem packetbeat[18558]: "mappings": {
Apr 30 00:00:04 siem packetbeat[18558]: "_meta": {
Apr 30 00:00:04 siem packetbeat[18558]: "beat": "packetbeat",
Apr 30 00:00:04 siem packetbeat[18558]: "version": "7.12.1"
Apr 30 00:00:04 siem packetbeat[18558]: },
Apr 30 00:00:04 siem packetbeat[18558]: "date_detection": false,
Apr 30 00:00:04 siem packetbeat[18558]: "dynamic_templates": [
Apr 30 00:00:04 siem packetbeat[18558]: {
Apr 30 00:00:04 siem packetbeat[18558]: "labels": {
Apr 30 00:00:04 siem packetbeat[18558]: "mapping": {
Apr 30 00:00:04 siem packetbeat[18558]: "type": "keyword"
Apr 30 00:00:04 siem packetbeat[18558]: },
Apr 30 00:00:04 siem packetbeat[18558]: "match_mapping_type": "string",
Apr 30 00:00:04 siem packetbeat[18558]: "path_match": "labels.*"
Apr 30 00:00:04 siem packetbeat[18558]: }
Apr 30 00:00:04 siem packetbeat[18558]: },
Apr 30 00:00:04 siem packetbeat[18558]: {
Apr 30 00:00:04 siem packetbeat[18558]: "container.labels": {
Apr 30 00:00:04 siem packetbeat[18558]: "mapping": {
Apr 30 00:00:04 siem packetbeat[18558]: "type": "keyword"
Apr 30 00:00:04 siem packetbeat[18558]: },
Apr 30 00:00:04 siem packetbeat[18558]: "match_mapping_type": "string",
Apr 30 00:00:04 siem packetbeat[18558]: "path_match": "container.labels.*"
Apr 30 00:00:04 siem packetbeat[18558]: }
Apr 30 00:00:04 siem packetbeat[18558]: },
Apr 30 00:00:04 siem packetbeat[18558]: {
Apr 30 00:00:04 siem packetbeat[18558]: "fields": {
Apr 30 00:00:04 siem packetbeat[18558]: "mapping": {
As the title mentions, auditbeat on the default logging level (INFO based on official documentation) logs an excessive amount of data on syslog when failing to create an index template (ex. Due to insufficient access privileges).
After logging the initial exception error, it proceeds to also log the full index template as part of the exception error log, which usually amounts to several thousand lines of JSON. The log output is repeated continuously while the error is present, resulting in quickly filling up massive amounts of disk space.
An example (truncated) error log that fits the above description is as follows :