ECK - quickstart - heartbeat example disrupts filebeat example

Hello all,

I have a question that is more about me trying to understand ECK than it is an issue. In trying to run elastic+kibana+filebeat+heartbeat, I find that I cannot run both beats together.

I'm testing out a self-hosted ECK stack on Azure AKS. In following the tutorial, I created a namespace future-test in which I run the following templates:

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
  name: quickstart
spec:
  version: 8.3.2
  nodeSets:
  - name: default
    count: 1
    config:
      node.store.allow_mmap: false
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 8.3.2
  count: 1
  elasticsearchRef:
    name: quickstart
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: quickstart
spec:
  type: filebeat
  version: 8.3.2
  elasticsearchRef:
    name: quickstart
  config:
    filebeat.inputs:
    - type: container
      paths:
      - /var/log/containers/*.log
  daemonSet:
    podTemplate:
      spec:
        dnsPolicy: ClusterFirstWithHostNet
        hostNetwork: true
        securityContext:
          runAsUser: 0
        containers:
        - name: filebeat
          volumeMounts:
          - name: varlogcontainers
            mountPath: /var/log/containers
          - name: varlogpods
            mountPath: /var/log/pods
          - name: varlibdockercontainers
            mountPath: /var/lib/docker/containers
        volumes:
        - name: varlogcontainers
          hostPath:
            path: /var/log/containers
        - name: varlogpods
          hostPath:
            path: /var/log/pods
        - name: varlibdockercontainers
          hostPath:
            path: /var/lib/docker/containers

So far so good. I can port forward into Kibana and see the filebeat time series created and being updated. Pods are behaving well. Now, I want to integrate heartbeat as well:

apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: quickstart
spec:
  type: heartbeat
  version: 8.3.2
  elasticsearchRef:
    name: quickstart
  config:
    heartbeat.monitors:
    - type: tcp
      schedule: '@every 5s'
      hosts: ["quickstart-es-http.future-test.svc:9200"]
  deployment:
    podTemplate:
      spec:
        dnsPolicy: ClusterFirstWithHostNet
        securityContext:
          runAsUser: 0

Note I modified the default in the host example to my own namespace. After a couple of seconds, I can see the filebeat data stop coming in in Kibana, and heartbeat data appear. In the filebeat pod I see these errors appear:
{\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk[s]] is unauthorized for user [future-test-quickstart-beat-user] with roles [beats_admin,eck_beat_es_heartbeat_role_v77,ingest_admin,kibana_admin,remote_monitoring_agent] on indices [filebeat-8.3.2,.ds-filebeat-8.3.2-2022.07.19-000001], this action is granted by the index privileges [create_doc,create,delete,index,write,all]\"}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}

Is the deployment of heartbeat messing with the elasticsearch users, such that filebeat cannot auth anymore? Am I misusing the templates (use the same name erroneously)? Any help or example would be greatly appreciated, thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.