Custom Logstash user role


I'm trying to deploy multiple Logstash instances to two separate k8s namespaces and they both connect to the same Elasticsearch cluster. The problem is that they both write to different ES indices but use the same user role eck_logstash_user_role.

It seems that the role is now hard-coded and cannot be changed? I know I can modify the eck_logstash_user_role to include both indices (either by exact name or by pattern), but then both Logstash instances would be able to write to both indices.

ES cluster: my-es
Logstash1: writes to sandbox-1
Logstash2: writes to sandbox-2

I configure my ES to add

kind: Elasticsearch
  name: my-es
      - secretName: logstash-user-role-secret
kind: Secret
apiVersion: v1
  name: logstash-user-role-secret
  roles.yml: |-
      cluster: [ "monitor", "manage_ilm", "read_ilm", "manage_logstash_pipelines", "manage_index_templates", "cluster:admin/ingest/pipeline/get" ]
        - names: [ "sandbox-*", "logstash", "logstash-*", "ecs-logstash", "ecs-logstash-*", "logs-*", "metrics-*", "synthetics-*", "traces-*" ]
          privileges: [ "manage", "write", "create_index", "read", "view_index_metadata" ]

This configuraton enables Logstash2 to write to sandbox-2 but it also enables it to write to sandbox-1 and I would like to prevent that from happening.
Bottom line, Logstash1 should only be able to write to sandbox-1 and Logstash2 should only be able to write to sandbox-2.

It seems that Logstash will always use the eck_logstash_user_role no matter what.

Am I missing something or is this feature missing?

Best regards,


you can create separate roles for each Logstash instance and assign them to separate users. This way, each Logstash instance will have its own user and role, and you can control the indices they can write to.



I get that, but is there a way in the Logstash CRD to define which role the logstash instance should use? Or in the Elasticsearch CRD?

Otherwise I guess the only way would be to patch the <logstash-namespace-and-name>-<elastic-namespace-name>-logstash-user secret after it is created by the operator by changing the user role.. or I guess create the secret manually (but then I would have to know the exact name of the secret in advance AND I have to know how to hash the password).


Hmm it seems I cannot patch the secret as it is managed by the operator. Every time I try to change the content of the secret, the operator immediately changes it back. So the user role of the logstash user cannot be changed manually.

I believe this is a missing feature in the operator and Logstash CRD


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.