Fleet-server is unauthorized on indice


I am pretty green when it comes to Elastic but I recently set up a brand new stack to test ingesting a log file. I installed the Elastic Agent on a Windows machine that outputs logs to a file. I have the integration for Custom Logs set up in the policy for the agent. I created an Ingest Pipeline for these logs and when I go into Discover to see if the logs are being ingested I get the error:

Action [indices:admin/auto_create] is unauthorized for API key id [######] of user [elastic/fleet-server] on indices [logs-log-1-default], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}, dropping event!

for all the lines in the log. Not sure where to go from here.


Hello @stenbot1,

Which Elastic version are you using? Could you pls check if this solution works for you?

I am currently using 8.7.1. I tried the fix suggested in the solution you linked and it solved my issue. Thank You!

1 Like

You're welcome!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.