Hey,
I'm encountering an error which indicates that the builtin beats_system user account doesn't have enough permissions in the ES cluster to perform a particular task, though it works when I test with a superuser account. I was expecting the builtin account to have permissions to do what it needs for supported modules in default states.
I've installed FIlebeat 6.4 on CentOS7 and enabled the system module from cli 'sudo filebeat modules enable system'.
I've got x-pack configured and I've configured filebeat to use the beats_system account and output to elasticsearch cluster operating 6.4.
I tested filebeat ingestion into elasticsearch using superuser creds and it worked fine, I also used these to execute filebeat setup as well successfully.
I've setup a keystore and added the variable I'm using for the password.
The settings I've configured in filebeat.yml are:
filebeat.config.modules:
reload.enabled: true
setup.kibana:
host: "kibana.mydomain"
output.elasticsearch:
host: ["es1.mydomain:9200","es2.mydomain:9200"]
protocol: "http"
username"beats_system"
password: "${filebeat_pwd}"
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch:
This is the log error I'm getting:
2018-08-31T17:28:00.967+1000 ERROR pipeline/output.go:91 Failed to connect: Connection marked as failed because the onConnect callback failed: Error loading pipeline for fileset system/auth: couldn't load pipeline: couldn't load json. Error: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [beats_system]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [beats_system]"},"status":403}. Response body: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [beats_system]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [beats_system]"},"status":403}