Api key & error

Hello .
i am new with elk sollution co forgive me :).
i want to run my first beat on my remote machine ... from the begining i want to deploy api-key for my auditbeat.
according to documentation https://www.elastic.co/guide/en/beats/auditbeat/current/beats-api-keys.html

on my kibana i run (only):

    POST /_security/api_key
{
  "name": "auditbeat_host001", 
  "role_descriptors": {
    "auditbeat_writer": { 
      "cluster": ["monitor", "read_ilm"],
      "index": [
        {
          "names": ["auditbeat-*"],
          "privileges": ["view_index_metadata", "create_doc"]
        }
      ]
    }
  }
}

on my kibana on apikey i see:

auditbeat_host001
elastic
reserved
August 5th 2020 15:15:14
Never

but on beat log i see:
Connection marked as failed because the onConnect callback failed: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ilm/put] is unauthorized for API key id [0__CvnMByUXjOQWk9Wum] of user [elastic]"}],"type":"security_exception","reason":"action [cluster:admin/ilm/put] is unauthorized for API key id [0__CvnMByUXjOQWk9Wum] of user [elastic]"},"status":403}

am i missing something ? second question it is ok that this api key is generated for user elastic ? ;/
thanks for advice ..

cluster:admin/ilm/put is not a read_ilm action, it is part of manage_ilm.
Your beat is trying to configure ILM and the authorization system is preventing that (correctly) because your API Key is not permitted to update ILM policies.

Thanks for your reply ... but tell me what exactly that mean ? This error occur when i run setup ( so the Dashboards is deployed into kibana ) - so this is ok ? Secondly on this credentials this beat should working but only for deploying the Dashboards i need to change credentials ?

I moved this to the Beats forum, because it actually about how to configure and run auditbeat.

The problem here is that you copied an example that configures an API key for publishing, but you
are trying to use it for setup.

If you want the API key to be useful for beat setup, then you need to include the required setup privileges in the API key's roles.

1 Like

ok ... as i understand the setup operation need more privileges (for deploying dashboards ) - it is clear ... but after when i deploy dashboards (used elastic user and password) i change the config file to use api-key ... and i still have

Aug 11 09:36:11 radius auditbeat: 2020-08-11T09:36:11.261+0200#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:155#011Failed to connect to backoff(elasticsearch(https://kibana-host.xxx.xxx:9200)): Connection marked as failed because the onConnect callback failed: failed to check for alias 'auditbeat-7.8.1': (status=403) : 403 Forbidden:

can you tell me how to fix it ? or what post i need to send to fix it ? .. :frowning:

Hello Tim,

could you please provide how to create API key for setup? I found how to create API key for publishing here https://www.elastic.co/guide/en/beats/auditbeat/master/beats-api-keys.html .

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.