I'm trying to wrap my head around running ECK and using filebeat. I've successfully deployed filebeat and I see it grabbing logs from my GCP pub/sub topic but it keeps dropping them because of the following error:
Private:(*pubsub.Message)(0xc00047e9a0), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=403): {\"type\":\"security_exception\",\"reason\":\"action [indices:admin/auto_create] is unauthorized for user [elastic-filebeat-beat-user] with roles [beats_admin,eck_beat_es_filebeat_role_v77,ingest_admin,kibana_admin,remote_monitoring_agent] on indices [google-auditlog-2022.10.12], this action is granted by the index privileges [auto_configure,create_index,manage,all]\"}, dropping event!","service.name":"filebeat","ecs.version":"1.6.0"}
it's saying filbeat doesn't have the permissions to auto create an index but I don't see anywhere where I can change these permissions or update filebeat to use some other role. Could I get some guidance on how to resolve? Relevant snippet from k8s manifest:
I've followed the 'getting started' guide and have the ECK operator and all the CRDs installed as well. The logs from the operator statefulset don't show any errors or anything either.
I think I'm running into the same issue as you. I want one of my filebeat instances to send data to a different Elasticsearch index. But when I do that, I see the same errors as you.
From what I can read in the ECK documentation, it sounds like ECK is automatically creating a user in Elasticsearch for each beat instance. My guess is that the user generated is probably only given privileges for the default index name, like filebeat-*. I can't find any proof of that though or if it's even possible to change that if that is the case.
i faced the same probleme 2 days ago and read your topic while looking for a solution, now i just solved it and i thought you may still looking for a way to do this, here's how it worked for me:
in the yaml file for your filebeat under output.elasticsearch and setup.kibana specify the username and the password of an elasticsearch user that you have to create manualy from kibana; give that user the appropriate privillages over the index you need to create by adding a new role, please find here below my config file and a screenshot for a clear understanding
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.