Minimum Privilege Required for Beats

Hi,

Given than I need to set the API key or username/password pair in the beats config (and they might get exposed). I need to set the privilege to the absolute minimum for the relevant account

I've went over the roles here https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html but I'm still not clear on the required roles (it obviously needs to add events to the DB, create an index...etc.)

The configuration we have is pretty standard and we are running version 7.9

So what are the minimum roles required for beats agents to work (Windows and Linux)

Thanks

Hosam.

hi @hpicass0, I suggest having a look here https://www.elastic.co/guide/en/beats/filebeat/current/feature-roles.html, with the 4 roles you can setup the required dependencies, send monitoring data and write indices in es, the 4th one is to manage the info in Kibana.
You could start with the first 3.

1 Like

Thanks @MarianaD your input was definitely helpful. The current documentation doesn't list all required privileges. I've done the following to get to work:

1) Roles:
monitoring_user
beats_admin
kibana_admin
ingest_admin
remote_monitoring_agent
remote_monitoring_collector
Custom_Role

2) Custom_Role Cluster Privileges:
read_ilm
monitor
manage_ingest_pipelines
manage_pipeline
manage_index_templates

3) Custom_Role Index Privileges:
view_index_metadata
manage
write

Any input to make the privilege more strict is very welcomed

H.

Hi @hpicass0 , how did you manage to guess all these privileges? I'm having exactly the same problem you have. Thanks for sharing :slight_smile:

Regards,
Carlos

Hey @cruizba

I started with the filebeat link shared by @MarianaD. Then did a trial and error while going over the error logs until I got it right. :wink:

H.

I think I will do the same :slight_smile:

The privileges you've written works?

Regards,
Carlos

Yes they do @cruizba.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.