I have followed the instructions here: Grant privileges and roles needed for publishing | Filebeat Reference [7.17] | Elastic
I have setup.ilm.check_exists: false
set in /etc/filebeat/filebeat.yml
See screenshot of my role below. I have a user filebeat_writer
with only the same role filebeat_writer
But I am getting this error.
Feb 2 12:06:50 proxy02 filebeat[1311272]: 2022-02-02T12:06:50.478-0800#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(http://elasticsearch.asdf.co:9200)): Connection marked as failed because the onConnect callback failed: error loading template: failure while checking if template exists: 403 Forbidden:
I want to use least privilege but also must receieve the data! What privileges must I set so that this can function? Is the documentation not correct?
edit: I followed these instructions which recommend cluster: monitor, manage
and Index: monitor, create_index, create_doc, view_index_metadata, manage_ilm
and I get data. However I am unsure about using these settings because 1) elastic recommendation is different (as shown in instructions above) and 2) I want to be certain of using least privilege model.