Api Key Help

I apologize in advance, I'm new to auditbeat and could use some help.

Basically, I'm trying to get just system logs from machines I'm monitoring. I previously had this working by just putting cloud.id and cloud.auth into the default auditbeat.yml. But now, I'm trying to replace cloud.auth with an api-key. So, I removed the cloud.auth line, and went to this link:

and generated an api key for monitoring. So, I put the api key into auditbeat.yml in the output.elasticsearch section, and in monitoring.elasticsearch. First it gave me an error that it said

"Overwriting ILM policy is disabled. Set setup.ilm.overwrite: true for enabling.", "stdout_lines": ["Overwriting ILM policy is disabled. Set setup.ilm.overwrite: true for enabling."

So , set setup.ilm.overwrite to true, but now it's giving me 403 errors, saying that the user:

is unauthorized for API key id [] of user [123456789]"},"status":403

Any help and advice of what I'm doing wrong would be great.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.