Yup policy with ONLY fortigate fails
[indices:admin/auto_create] is unauthorized for API key id [qh3IQJYBq5b1-O15jq2H] of user [elastic/fleet-server] on indices [logs-fortinet_fortigate.log_custom-newnamespace],
When I add the Azure Logs... works
Interesting workaround....
Seem like the permissions could be
logs-fortigate.*-* or go ahead and expand to logs-fortigate.<event_type>-*
Thanks for the chat
Yeah, the Agent permissions are pretty limited at the moment, but this will change on version 9.1 it seems.
This PR adds some UI to configure extra permissions: [Fleet] Add UI to add additional datastreams permissions by nchaulet · Pull Request #210935 · elastic/kibana · GitHub
But in this specific case, and also in the case of other network devices like Palo Alto, the definitive solution is to change the integration and add different data streams for different datasets.
Thanks to both of you for your comments, the truth is that I got lost, I only understood as far as I was told that it was not possible.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.