Api key & error

maxxitutti · August 5, 2020, 1:38pm

Hello .
i am new with elk sollution co forgive me :).
i want to run my first beat on my remote machine ... from the begining i want to deploy api-key for my auditbeat.
according to documentation https://www.elastic.co/guide/en/beats/auditbeat/current/beats-api-keys.html

on my kibana i run (only):

    POST /_security/api_key
{
  "name": "auditbeat_host001", 
  "role_descriptors": {
    "auditbeat_writer": { 
      "cluster": ["monitor", "read_ilm"],
      "index": [
        {
          "names": ["auditbeat-*"],
          "privileges": ["view_index_metadata", "create_doc"]
        }
      ]
    }
  }
}

on my kibana on apikey i see:

auditbeat_host001
elastic
reserved
August 5th 2020 15:15:14
Never

but on beat log i see:
Connection marked as failed because the onConnect callback failed: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ilm/put] is unauthorized for API key id [0__CvnMByUXjOQWk9Wum] of user [elastic]"}],"type":"security_exception","reason":"action [cluster:admin/ilm/put] is unauthorized for API key id [0__CvnMByUXjOQWk9Wum] of user [elastic]"},"status":403}

am i missing something ? second question it is ok that this api key is generated for user elastic ? ;/
thanks for advice ..

TimV · August 10, 2020, 1:17pm

cluster:admin/ilm/put is not a read_ilm action, it is part of manage_ilm.
Your beat is trying to configure ILM and the authorization system is preventing that (correctly) because your API Key is not permitted to update ILM policies.

maxxitutti · August 10, 2020, 3:27pm

Thanks for your reply ... but tell me what exactly that mean ? This error occur when i run setup ( so the Dashboards is deployed into kibana ) - so this is ok ? Secondly on this credentials this beat should working but only for deploying the Dashboards i need to change credentials ?

TimV · August 11, 2020, 2:01am

I moved this to the Beats forum, because it actually about how to configure and run auditbeat.

The problem here is that you copied an example that configures an API key for publishing, but you
are trying to use it for setup.

If you want the API key to be useful for beat setup, then you need to include the required setup privileges in the API key's roles.

maxxitutti · August 11, 2020, 7:38am

ok ... as i understand the setup operation need more privileges (for deploying dashboards ) - it is clear ... but after when i deploy dashboards (used elastic user and password) i change the config file to use api-key ... and i still have

Aug 11 09:36:11 radius auditbeat: 2020-08-11T09:36:11.261+0200#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:155#011Failed to connect to backoff(elasticsearch(https://kibana-host.xxx.xxx:9200)): Connection marked as failed because the onConnect callback failed: failed to check for alias 'auditbeat-7.8.1': (status=403) : 403 Forbidden:

can you tell me how to fix it ? or what post i need to send to fix it ? ..

Robert_Necela · August 19, 2020, 11:11am

Hello Tim,

could you please provide how to create API key for setup? I found how to create API key for publishing here https://www.elastic.co/guide/en/beats/auditbeat/master/beats-api-keys.html .

Thank you

system · September 16, 2020, 11:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Status=403): {"type":"security_exception","reason":"action [indices:data/write/bulk[s] Beats elastic-stack-security , metricbeat	9	6832	August 19, 2020
Configure filebeat to use API keys Beats filebeat	3	2723	January 11, 2022
Incorrect http method for uri Beats	1	275	January 1, 2024
Secure setting is unauthorized Beats elastic-stack-security , metricbeat	4	1313	March 9, 2022
I use auditbeat 8.6.2, can't find no login shell command Beats auditbeat	1	362	March 28, 2023

Api key & error

Related Topics