So contrary to the docs even this lot doesn't work:
POST /_security/api_key
{
"name": "{beat_default_index_prefix}_localhost",
"role_descriptors": {
"{beat_default_index_prefix}_writer": {
"cluster": ["monitor", "read_ilm", "manage_ingest_pipelines"],
"index": [
{
"names": ["{beat_default_index_prefix}-*"],
"privileges": ["view_index_metadata", "create_doc", "manage"]
}
]
}
}
}
And surely "manage" is way too much privilege just to send logs to elasticsearch?
Errors seem to be 403 Forbidden:
error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/aliases/get] is unauthorized for API key id [blah] of user [elastic]"}]
I thought "manage" covered the admin/aliases privilege?
If I use a username: elastic/password: blah, then audit/journal/file/metric -beats all work fine, but I'd rather use API keys and not the superuser password on clients!
Also, where can I store the TLS certificates, as unless I save a copy of them in each beat/kibana/elasticsearch directory, they can't be read (despite the full path having 755 perms). I noticed something about dropped permissions in the docs, but that's not dropped permissions as any user can read them, seems more like a chroot?
Also, also.... As the beats seem to log to journald on systemd linux boxes, you end up with most of your logs just being about beats and not the interesting stuff like syslog, pam, auditd etc. Can you make the beats all log to a file/directory which can be ignored?
Finally, given that most of my beat configs are identical, is there a notion of a #include file or something, the new "meta beat" seems like overkill for my use case, but a single config file (and cert location!) would be useful.