Does Filebeat have to use 'beats_system' or 'elastic' to connect to ElasticSearch?

houmie · November 15, 2020, 11:42am

Sorry, which one is the best practice? Because when we run elasticsearch-setup-passwords auto it generates passwords for beats_system and elastic for us.

output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "elastic"
  password: "${ES_PASSWORD}"

Or

output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "beats_system"
  password: "${BEATS_SYSTEM_PASSWD}"

If the former is correct, then in which circumstances do we use beats_system?

Many Thanks,
Houman

aaron-nimocks · November 15, 2020, 3:14pm

beats_system doesn't have the correct privileges. It's for monitoring and not ingesting data.

elastic has too many privileges you wouldn't want someone getting access to so not using it if not needed is the best practice.

I'd recommend creating a custom user/role that has the exact but minimum privileges enabled. Also you could generate an API key vs having to use keystore for the password.

system · December 13, 2020, 5:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.