Hello all,
I'm a newbie to ELK and after many search I've not found a solution.
After an OS upgrade Devuan 3 => Devuan 4 my filebeat doesn't work.
The error in /var/log/filebeat.log is this:

Preformatted text2021-10-18T10:00:03.386+0200 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(Elasticsearch(http://192.168.2.252:9200)): Connection marked as failed because the onConnect callback failed: failed to create alias: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"}],"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"},"status":403}: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"}],"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"},"status":403}`

In devuan 3 it works properly
I have created a role filebeat_writer with cluster privileges

`monitor
read_ilm
cluster:admin/ingest/pipeline/get
cluster:admin/ingest/pipeline/put
cluster:admin/ilm/put

indices filebeat-*

privileges
create_doc
view_index_metadata
create index`

after I have created a user filebeat_writer
roles
filebeat_writer

my /etc/filebeat/filebeat.yml say:

`filebeat.inputs:

• type: log

  enabled: false

  paths:

  • /var/log/*.log

• type: filestream

  enabled: true

  paths:

  • /var/log/syslog
  • /var/log/nftables.log
  • /var/log/suricata/eve.json
  • /var/log/auth.log
  • /var/log/fail2ban.log

filebeat.config.modules:

path: ${path.config}/modules.d/*.yml

reload.enabled: false

setup.template.settings:
index.number_of_shards: 1

setup.kibana:
 host: "192.168.2.252:5601"
 output.elasticsearch:

Array of hosts to connect to.

hosts: ["192.168.2.252:9200"]
username: "filebeat_writer"
password: "mypass"

processors:

• add_host_metadata:
  when.not.contains.tags: forwarded
• add_cloud_metadata: ~
• add_docker_metadata: ~
• add_kubernetes_metadata: ~`

Version of filebeat is everywhere 7.15.1.
kernel version on Devuan 3 is 5.10.0-0.bpo.8-amd64 #1 SMP Debian 5.10.46-4~bpo10+1
kernel version on Devuan 4 is 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1

Can someone please give me an idea of how to fix this malfunction?
Thank you in advance

I answer myself
adding manage, all to the role of filebeat in the index privileges section works
thanks anyway

Hi,

You need to review the roles of the user "filebeat_writer".

Log info

Error: Connect callback failed: failed to create alias: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer]

Suggestion: this action is granted by the index privileges [manage,all]

Welcome to our community!

In future it's super helpful if you format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

@joao
Thanks, I got there with difficulty yesterday afternoon

@warkolm
Thanks I'll try to figure out how to do it, unfortunately I'm a command line man, and if I don't use vim I'm lost

Yep I understand that!
If your filebeat.yml was code formatted though, we could more easily read it and pick out indentation issues. That's more what I was getting at.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.