Kibana Fleet Error message Old fleet indices cleanup failed: security_exception

Currently we observe an issue in the Kibana eventlog that seems to be permission related. We run Elastic-Stack 8.10.2. Any ideas what could gone wrong or where we need to correct this? Or might this even be a bug?

{"tags":["monitoring_alert_cpu_usage","1a404b10-fa9e-11eb-ac95-6109d2c7328d","rule-run-failed"],"error":{},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:11.129+02:00","message":"Executing Rule default:monitoring_alert_cpu_usage:1a404b10-fa9e-11eb-ac95-6109d2c7328d has resulted in Error: Saved object [action/19a71850-fa9e-11eb-ac95-6109d2c7328d] not found - ","log":{"level":"ERROR","logger":"plugins.alerting.monitoring_alert_cpu_usage"},"process":{"pid":128177},"span":{"id":"46f642361c33c719"},"trace":{"id":"a27640271bd9168ad021cc0b091f19d7"}}

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:25.587+02:00","message":"Beginning fleet setup","log":{"level":"INFO","logger":"plugins.fleet"},"process":{"pid":128177},"trace":{"id":"12e569d8604dcae927a44e9f849d7035"},"transaction":{"id":"1fd746eb05da0325"}}

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:25.590+02:00","message":"Old fleet indices cleanup failed: security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:admin/delete] is unauthorized for user [kibana_system] with effective roles [kibana_system] on indices [.fleet-file-data-agent-000001,.fleet-file-data-endpoint-000001], this action is granted by the index privileges [delete_index,manage,all]","log":{"level":"WARN","logger":"plugins.fleet"},"process":{"pid":128177},"trace":{"id":"12e569d8604dcae927a44e9f849d7035"},"transaction":{"id":"1fd746eb05da0325"}}

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:25.811+02:00","message":"Fleet setup completed","log":{"level":"INFO","logger":"plugins.fleet"},"process":{"pid":128177},"trace":{"id":"12e569d8604dcae927a44e9f849d7035"},"transaction":{"id":"1fd746eb05da0325"}}

{"tags":["monitoring_alert_disk_usage","1a407221-fa9e-11eb-ac95-6109d2c7328d","rule-run-failed"],"error":{},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:26.166+02:00","message":"Executing Rule default:monitoring_alert_disk_usage:1a407221-fa9e-11eb-ac95-6109d2c7328d has resulted in Error: Saved object [action/19a71850-fa9e-11eb-ac95-6109d2c7328d] not found - ","log":{"level":"ERROR","logger":"plugins.alerting.monitoring_alert_disk_usage"},"process":{"pid":128177},"span":{"id":"415059ee4179c27e"},"trace":{"id":"a27640271bd9168ad021cc0b091f19d7"}}

to format it better:

{"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.6.1"},"@timestamp":"2023-09-26T02:08:25.590+02:00","message":"Old fleet indices cleanup failed: security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:admin/delete] is unauthorized for user [kibana_system] with effective roles [kibana_system] on indices [.fleet-file-data-agent-000001,.fleet-file-data-endpoint-000001], this action is granted by the index privileges [delete_index,manage,all]","log":{"level":"WARN","logger":"plugins.fleet"},"process":{"pid":128177},"trace":{"id":"12e569d8604dcae927a44e9f849d7035"},"transaction":{"id":"1fd746eb05da0325"}}

Hi matled,

According to my information from an Elastic employee, this is a bug that is about to be fixed in 8.10.3. This should be the corresponding pull request: added .fleet-file-data* to kibana_system privileges by juliaElastic · Pull Request #100019 · elastic/elasticsearch · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.