I have been configuring Metricbeat on my ELK configuration using these two documents:
Securing Communication With Elasticsearch
Beats and Security
The Metricbeat user I configured is based on the Packetbeat user example on Beats and Security, the following way:
POST /_xpack/security/role/metricbeat_writer
{
"cluster": ["manage_index_templates", "monitor"],
"indices": [
{
"names": [ "metricbeat-*" ],
"privileges": ["read","write","create_index"]
}
]
}
POST _xpack/security/role/metricbeat_reader
{
"indices": [
{
"names": [ "metricbeat-*" ],
"privileges": ["read","view_index_metadata"]
}
]
}
POST /_xpack/security/user/metricbeat_internal
{
"password" : "<password>",
"roles" : ["metricbeat_writer", "metricbeat_reader"],
"full_name" : "Internal Metricbeat User"
}
When I execute Metricbeat on my system, I receive the following message repeated times:
2017-02-21T14:22:38-06:00 WARN Can not index event (status=403): {"type":"security_exception","reason":"action [indices:admin/create] is unauthorized for user [metricbeat_internal]"}
And even assigning the create privilege, it keeps throwing the same message.
And I guess it is receiving the information properly, because I also receive this:
2017-02-21T14:44:49-06:00 INFO Non-zero metrics in the last 30s: fetches.system-filesystem.success=1 fetches.system-fsstat.events=1 libbeat.es.publish.read_bytes=40005 fetches.system-filesystem.events=13 fetches.system-load.success=1
What should I do?
Thanks in advance
EDIT: I will also add part of what I have configured in metricbeat.yml
#================================ Outputs =====================================
# Configure what outputs to use when sending the data collected by the beat.
# Multiple outputs may be used.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://<my_hostname>"]
# Optional protocol and basic auth credentials.
username: "metricbeat_internal"
password: "<password>"
ssl.enabled: true
ssl.verification_mode: none
ssl.certificate_authorities:
- <my_path_to_ca.crt>
template.name: "metricbeat"
template.path: "<path_to_metricbeat.template.json>"
template.overwrite: false