Hi
I'm in the process of trying to set AWS log ingestion into Elastic Cloud via a Fleet elastic cloud managed elastic agent. I followed the instructions on Install Fleet-managed Elastic Agents | Fleet and Elastic Agent Guide [8.2] | Elastic and have I am running the agent successfully.
However, upon ingestion of cloudwatch logs, I get the following error:
Cannot index event publisher.Event......
action [indices:admin/auto_create] is unauthorized for API key id [l1OHzYABJubmJXKg8ytJ] of user [elastic/fleet-server] on indices [logs-generic-aws], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}, dropping event!
I've checked the fleet service account permissions that the API key is tied to and all seems ok
{
"elastic/fleet-server": {
"role_descriptor": {
"cluster": [
"monitor",
"manage_own_api_key"
],
"indices": [
{
"names": [
"logs-*",
"metrics-*",
"traces-*",
"synthetics-*",
".logs-endpoint.diagnostic.collection-*",
".logs-endpoint.action.responses-*"
],
"privileges": [
"write",
"create_index",
"auto_configure"
],
"allow_restricted_indices": false
I have also upgraded to 8.2 both on the Fleet side in Elastic cloud and also the agent is now on 8.2 and still the same problem.
I have also tried both the default namespace and the aws namespace (as above) to no avail.
Any guidance would be helpful, thank you in advance!