Filebeat -> elastic: onConnect callback failed: error loading template

I have followed the instructions here: Grant privileges and roles needed for publishing | Filebeat Reference [7.17] | Elastic

I have setup.ilm.check_exists: false set in /etc/filebeat/filebeat.yml

See screenshot of my role below. I have a user filebeat_writer with only the same role filebeat_writer But I am getting this error.

Feb  2 12:06:50 proxy02 filebeat[1311272]: 2022-02-02T12:06:50.478-0800#011ERROR#011[publisher_pipeline_output]#011pipeline/output.go:154#011Failed to connect to backoff(elasticsearch(http://elasticsearch.asdf.co:9200)): Connection marked as failed because the onConnect callback failed: error loading template: failure while checking if template exists: 403 Forbidden:

I want to use least privilege but also must receieve the data! What privileges must I set so that this can function? Is the documentation not correct?

edit: I followed these instructions which recommend cluster: monitor, manage and Index: monitor, create_index, create_doc, view_index_metadata, manage_ilm and I get data. However I am unsure about using these settings because 1) elastic recommendation is different (as shown in instructions above) and 2) I want to be certain of using least privilege model.

image930×631 77.1 KB

Can anyone comment (esp Elastic Team) as to whether the privileges noted in Elastic documentation is known to work. And if there is certainty the documentation is correct, then why would this be failing?

In 7.16/7.17 Filebeat uses GET _index_template API to check if the template exists. Your user needs the manage_index_templates or manage cluster privilege.

Ref: Get index template API | Elasticsearch Guide [7.17] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.