Elastic Cloud output on shared / non-trusted environments

Imagine the following scenario:

You want to deploy Filebeat using Elastic Cloud in some servers that are managed by a 3rd party company.

Is there any way to do that without using the Elastic Cloud global credentials?
As those credentials are the same for accessing Kibana / ElasticSearch, that 3rd part company could use them to access all the other servers logs.

Hi @gerard1,

You can define a different user with permissions in some specific indexes for the 3rd party company. You could use these credentials to configure Filebeat in their instances and keep the global credentials only for yourself.

But then, if I'm using one global index (filebeat), they could be read the whole index with those credentials, correct? Or is it possible only to write, but not read?

The solution I'm thinking would be to setup a Logstash in between, but then I guess it will require some adjustments in the Filebeat setup.

It is possible to give write privileges only. You can find here the full list of possible privileges: https://www.elastic.co/guide/en/elasticsearch/reference/7.5/security-privileges.html

In any case it can make sense to use different indexes for different parties.

Yes, this could be another option. You can find more information about that in this guide, and in the documentation about the Beats input in Logstash, and the Logstash output in Filebeat.

But the write permissions also include update and delete, so is not an option from security perspective

Then I will lose some of the features, such as the ISMS.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.