Hello all,
I'm a newbie to ELK and after many search I've not found a solution.
After an OS upgrade Devuan 3 => Devuan 4 my filebeat doesn't work.
The error in /var/log/filebeat.log is this:
Preformatted text
2021-10-18T10:00:03.386+0200 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(Elasticsearch(http://192.168.2.252:9200)): Connection marked as failed because the onConnect callback failed: failed to create alias: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"}],"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"},"status":403}: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"}],"type":"security_exception","reason":"action [indices:admin/aliases] is unauthorized for user [filebeat_writer] with roles [filebeat_writer], this action is granted by the index privileges [manage,all]"},"status":403}`
In devuan 3 it works properly
I have created a role filebeat_writer with cluster privileges
`monitor
read_ilm
cluster:admin/ingest/pipeline/get
cluster:admin/ingest/pipeline/put
cluster:admin/ilm/put
indices filebeat-*
privileges
create_doc
view_index_metadata
create index`
after I have created a user filebeat_writer
roles
filebeat_writer
my /etc/filebeat/filebeat.yml say:
`filebeat.inputs:
-
type: log
enabled: false
paths:
- /var/log/*.log
-
type: filestream
enabled: true
paths:
- /var/log/syslog
- /var/log/nftables.log
- /var/log/suricata/eve.json
- /var/log/auth.log
- /var/log/fail2ban.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "192.168.2.252:5601"
output.elasticsearch:
Array of hosts to connect to.
hosts: ["192.168.2.252:9200"]
username: "filebeat_writer"
password: "mypass"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded - add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~`
Version of filebeat is everywhere 7.15.1.
kernel version on Devuan 3 is 5.10.0-0.bpo.8-amd64 #1 SMP Debian 5.10.46-4~bpo10+1
kernel version on Devuan 4 is 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1
Can someone please give me an idea of how to fix this malfunction?
Thank you in advance