Does Filebeat have to use 'beats_system' or 'elastic' to connect to ElasticSearch?

houmie · November 15, 2020, 11:42am

Sorry, which one is the best practice? Because when we run elasticsearch-setup-passwords auto it generates passwords for beats_system and elastic for us.

output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "elastic"
  password: "${ES_PASSWORD}"

Or

output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "beats_system"
  password: "${BEATS_SYSTEM_PASSWD}"

If the former is correct, then in which circumstances do we use beats_system?

Many Thanks,
Houman

aaron-nimocks · November 15, 2020, 3:14pm

beats_system doesn't have the correct privileges. It's for monitoring and not ingesting data.

elastic has too many privileges you wouldn't want someone getting access to so not using it if not needed is the best practice.

I'd recommend creating a custom user/role that has the exact but minimum privileges enabled. Also you could generate an API key vs having to use keystore for the password.

Topic		Replies	Views
Beats_system role Beats elastic-stack-security , metricbeat	7	3277	December 1, 2020
Secure user for Beats (lowest privileges as possible) Elasticsearch elastic-stack-security	1	650	April 30, 2020
X-Pack Security: no pw for beats_system? Elasticsearch elastic-stack-security	5	453	June 25, 2019
Security error with beats_system account and Filebeat with system module Beats filebeat	4	6902	October 1, 2018
Beats to Elasticsearch or Beats to Logstash? Which is best practice Beats filebeat	3	514	April 10, 2018

Does Filebeat have to use 'beats_system' or 'elastic' to connect to ElasticSearch?

Related topics