Kibana roles / Errors - warning showing after login

We had a need to leave some users of a web application to see specific logs for that app. I have created a role, updated /etc/elasticsearch/role_mapping.yml, I've installed filebeat to fetch this data from the source hosts and send it to logstash which then sends it to ES. All is fine. This role allows users to see these specific indices' documents (it's a custom index name). It works. The users have read permissions on these custom index names, they can also read metadata on them. The issue is that whenever I login with a user under this role I get a warning like the one in the attached image.

I do not know why it's trying to read the auditbeat* indices when in reality they do not have access to these indices as per the role's permissions. But, whenever I select the right index pattern from Kibana I can see the data and search on the intended indices' documents without issues.

To make this a pleasant experience for my users I would like to know how to avoid this issue. I've also prepared a cheat sheet for them on how to use curl(1) to search for data but I do think some of them may chose the Web GUI to do it and while it works I would like a good experience for them while doing so.


Welcome to our community! :smiley:

What's the default index for that space?
It might make sense to move this into it's own space which defaults to your custom index pattern.

Hello @warkolm thank you!

I know how to create a space but I do not know how to set the default index pattern per space, any pointers to the docs?

The first index pattern you create is automatically designated as the default pattern, but you can set any index pattern as the default.
By clicking on the star in the top right you can make any index pattern as the default index pattern.

hope this helps

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.