We had a need to leave some users of a web application to see specific logs for that app. I have created a role, updated /etc/elasticsearch/role_mapping.yml, I've installed filebeat to fetch this data from the source hosts and send it to logstash which then sends it to ES. All is fine. This role allows users to see these specific indices' documents (it's a custom index name). It works. The users have read permissions on these custom index names, they can also read metadata on them. The issue is that whenever I login with a user under this role I get a warning like the one in the attached image.
I do not know why it's trying to read the auditbeat* indices when in reality they do not have access to these indices as per the role's permissions. But, whenever I select the right index pattern from Kibana I can see the data and search on the intended indices' documents without issues.
To make this a pleasant experience for my users I would like to know how to avoid this issue. I've also prepared a cheat sheet for them on how to use curl(1) to search for data but I do think some of them may chose the Web GUI to do it and while it works I would like a good experience for them while doing so.
Thanks.
