Hi,
I'm trying to improve the security of my Elastic Stack through a least privilege architecture consisting of winlogbeat, filebeat, auditbeat -> logstash -> Elasticsearch & Kibana. My goal is that the different beats are just reporting to Logstash and do not have any connectivity to Elasticsearch and Kibana. Connection to Logstash is working with TLS. Logstash then does some filtering and sends the data to Elasticsearch (secured with API-Key). But I don't want to give every beats instance on every client privileges except for reporting to Logstash.
Because different people are working in that environment with different beat versions, I would also like to avoid having to reinstall and update the pattern every time a new non-major-release beats version is released (e.g. 7.14.1 --> 7.14.2) in order to reduce maintenance. Is that possible or am I missing something here?
I would really like to just add another beats instance without having to check and manually upload the *beat.template.json every time.
Is there a way to alter the *beat.template.json that it matches the index pattern *beat-7.*?
Any ideas on how to efficiently manage *beat.template.json versions with unknown versions of beats in a network without giving any more privileges to the beats instances?
Thanks in advance!
hafneren