Unable to bulk_create index-pattern

alexus · July 15, 2022, 5:03pm

Hello World!

I'm trying to follow these:

Grant privileges and roles needed for setup | Auditbeat Reference [7.17] | Elastic
Grant privileges and roles needed for setup | Filebeat Reference [7.17] | Elastic
Grant privileges and roles needed for setup | Metricbeat Reference [7.17] | Elastic

and yet running into following error (for all of the beats: auditbeat, filebeat and metricbeat)

Unable to bulk_create index-pattern

setup role(s):

GET /_security/role/auditbeat_setup

{
  "auditbeat_setup" : {
    "cluster" : [
      "monitor",
      "manage_ilm"
    ],
    "indices" : [
      {
        "names" : [
          "auditbeat-*"
        ],
        "privileges" : [
          "manage"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      },
      {
        "names" : [
          "auditbeat-*"
        ],
        "privileges" : [
          "write"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

GET /_security/role/filebeat_setup

{
  "filebeat_setup" : {
    "cluster" : [
      "monitor",
      "manage_ilm",
      "manage_ml"
    ],
    "indices" : [
      {
        "names" : [
          "filebeat-*"
        ],
        "privileges" : [
          "manage",
          "write",
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

GET /_security/role/metricbeat_setup

{
  "metricbeat_setup" : {
    "cluster" : [
      "monitor",
      "manage_ilm"
    ],
    "indices" : [
      {
        "names" : [
          "metricbeat-*"
        ],
        "privileges" : [
          "manage"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [ ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

user(s) w/ setup role and several others:

GET /_security/user/auditbeat

{
  "auditbeat" : {
    "username" : "auditbeat",
    "roles" : [
      "auditbeat_setup",
      "kibana_admin",
      "ingest_admin"
    ],
    "full_name" : "X",
    "email" : "X@X.X",
    "metadata" : { },
    "enabled" : true
  }
}

GET /_security/user/filebeat

{
  "filebeat" : {
    "username" : "filebeat",
    "roles" : [
      "filebeat_setup",
      "kibana_admin",
      "ingest_admin",
      "machine_learning_admin"
    ],
    "full_name" : "X",
    "email" : "X@X.X",
    "metadata" : { },
    "enabled" : true
  }
}

GET /_security/user/metricbeat

{
  "metricbeat" : {
    "username" : "metricbeat",
    "roles" : [
      "kibana_admin",
      "ingest_admin",
      "metricbeat_setup"
    ],
    "full_name" : "X",
    "email" : "X@X.X",
    "metadata" : { },
    "enabled" : true
  }
}

the actual error:

auditbeat:

root@647411e7353a:/usr/share/auditbeat# auditbeat setup -e -E setup.kibana.host=https://X.X.X:5601
...
2022-07-15T16:50:36.433Z	ERROR	instance/beat.go:1014	Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create index-pattern: <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create index-pattern"}
Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create index-pattern: <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create index-pattern"}

filebeat:

root@6fd37f1e7d0a:/usr/share/filebeat# filebeat setup -e -E setup.kibana.host=https://X.X.X:5601
...
2022-07-15T17:18:22.539Z	ERROR	instance/beat.go:1014	Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create : <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create "}
Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create : <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create "}

metricbeat:

root@2a22d73960da:/usr/share/metricbeat# metricbeat setup -e -E setup.kibana.host=https://X.X.X:5601
...
2022-07-15T17:17:37.951Z	ERROR	instance/beat.go:1014	Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create index-pattern: <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create index-pattern"}
Exiting: 1 error: error loading index pattern: returned 403 to import file: Unable to bulk_create index-pattern: <nil>. Response: {"statusCode":403,"error":"Forbidden","message":"Unable to bulk_create index-pattern"}

Please advise)
Thank you in advance!

alexus · July 15, 2022, 8:48pm

I also have noticed these message in Kibana logs:

auditbeat:

... auditbeat unauthorized to [checkConflicts] [index-pattern] in [default]: missing [(default)saved_object:7.17.4:index-pattern/bulk_create]
X  | {"type":"response","@timestamp":"2022-07-15T20:45:35+00:00","tags":[],"pid":7,"method":"post","statusCode":403,"req":{"url":"/api/saved_objects/_import?overwrite=true","method":"post","headers":{"host":"X:5601","user-agent":"Elastic-auditbeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:41:24 +0000 UTC)","content-length":"312355","accept":"application/json","content-type":"multipart/form-data; boundary=65fd638059e32bbcdfba46aeecb482b4fb260b686dfb736ecb814c204b3e","kbn-xsrf":"1","accept-encoding":"gzip"},"remoteAddress":"192.168.160.3","userAgent":"Elastic-auditbeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:41:24 +0000 UTC)"},"res":{"statusCode":403,"responseTime":146,"contentLength":86},"message":"POST /api/saved_objects/_import?overwrite=true 403 146ms - 86.0B"}

filebeat:

...filebeat unauthorized to [checkConflicts] [index-pattern] in [default]: missing []"}
X  | {"type":"response","@timestamp":"2022-07-15T20:50:36+00:00","tags":[],"pid":7,"method":"post","statusCode":403,"req":{"url":"/api/saved_objects/_import?overwrite=true","method":"post","headers":{"host":"X:5601","user-agent":"Elastic-filebeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:46:57 +0000 UTC)","content-length":"1260576","accept":"application/json","content-type":"multipart/form-data; boundary=176be3ef0e2d1428001e20a7ce25787e903c3116afe0692951cab626621f","kbn-xsrf":"1","accept-encoding":"gzip"},"remoteAddress":"192.168.160.4","userAgent":"Elastic-filebeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:46:57 +0000 UTC)"},"res":{"statusCode":403,"responseTime":388,"contentLength":73},"message":"POST /api/saved_objects/_import?overwrite=true 403 388ms - 73.0B"}

metricbeat:

... metricbeat unauthorized to [checkConflicts] [index-pattern] in [default]: missing [(default)saved_object:7.17.4:index-pattern/bulk_create]"}
X  | {"type":"response","@timestamp":"2022-07-15T20:52:09+00:00","tags":[],"pid":7,"method":"post","statusCode":403,"req":{"url":"/api/saved_objects/_import?overwrite=true","method":"post","headers":{"host":"X.X.X:5601","user-agent":"Elastic-metricbeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:59:13 +0000 UTC)","content-length":"1034480","accept":"application/json","content-type":"multipart/form-data; boundary=55c248cdeff896ea44e38658e971f60fcbc381bb054f40de7a860bec4d86","kbn-xsrf":"1","accept-encoding":"gzip"},"remoteAddress":"192.168.160.5","userAgent":"Elastic-metricbeat/7.17.4 (linux; amd64; ea28c0419dc4ede9318c4b34a732ce11b03482b7; 2022-05-18 16:59:13 +0000 UTC)"},"res":{"statusCode":403,"responseTime":237,"contentLength":86},"message":"POST /api/saved_objects/_import?overwrite=true 403 237ms - 86.0B"}

system · August 12, 2022, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
So seriously, what permissions do beats need? Beats journalbeat , filebeat , metricbeat , auditbeat	9	1470	July 28, 2020
Dashboard setup fails: Unable to bulk_create index-pattern Beats filebeat , metricbeat	5	3749	January 13, 2022
Status=403): {"type":"security_exception","reason":"action [indices:data/write/bulk[s] Beats elastic-stack-security , metricbeat	9	6833	August 19, 2020
Need to define a role for Filebet and metricbeat for writing to elasticsearch Beats elastic-stack-security , filebeat , metricbeat	9	825	June 7, 2021
[Filebeat] Custom Naming of Index Beats docker , filebeat	2	320	August 31, 2021

Unable to bulk_create index-pattern

Related Topics