Fortigate Integration - Separation of logs datastream based on a field value

It is probably a permission issue.

The way that Elastic Agent handles permissions is pretty limited, you cannot use the reroute processor because the API Key generated for the integration only has permissions to write into the data streams and namespace in the configuration.

You can check this similar post where there is a lengthy discussion about it.

In short, per default the reroute processor will not work, you cannot change the namespace of a datastream as the API Key generated for the policy does not include it, you can check the agent logs and you will probably have a lot of errors about not being able to index data.

The workaround for this case would be to add an integration in the same policy that has permissions to write into logs-*-*, this would make the API Key used by the policy to have those same permissions and it would allow you to use the reroute processor, for example you could add a Custom Filestream logs integration that do not collect anything, just to have the permissions.

There was a change planned to 9.1 to allow the user to specify extra permissions on the UI, but I'm not sure if it is already active as I'm on 8.18 still.

Is this change here: [Fleet] Add UI to add additional datastreams permissions by nchaulet · Pull Request #210935 · elastic/kibana · GitHub

1 Like