Hello,
I'm facing some issues related to the changes made regarding the access for users (and logstash) to system index .kibana, and am seeking for the best way to get around it.
Basically, I have built a dashboard that focuses on security cases, updates, comments, status changes etc.. The goal of the dashboard is to provide an overview of the case progression, backlog, but also provide statistics per case type, per user (who updates, closes, comments etc) for a supervisor and his team.
As far as I know, this data is stored in .kibana index :
type: ("cases" or "cases-comments" or "cases-user-actions" )
I have kibana_admin and superuser profile, but the users don't, so (as far as I understand) they can't access the underlying data hence use the dashboard.
First thing I tried was to reindex the relevant data into a new index, change the dashboard's components to point to the new index, all works fine.
Issue I'm now facing is how can I get the data automatically pushed to the new 'user-oriented' index so they can track their activity ?
I thought maybe logstash could read the .kibana index and to the shifting to the new index, but apparently that's not possible. Was thinking of creating a watcher that would index any new data into the destination index, but seems quite a long path for such a simple action.
I want to keep clear of any curl/cron as far as possible, so if any one could help me by pointing out what I'm missing, or any simple way to get around this issue, it would be highly appreciated.
Regards