All,
I'm hoping someone can help. I used to output data from Winlogbeat to Logstash and index from there, everything worked fine. With 7.9 I attempted to use Elasticsearch output and received the below:
WARN [elasticsearch] elasticsearch/client.go:407 Cannot index event publisher. ... (status=403): {"type":"security_exception","reason":"action [indices:admin/auto_create] is unauthorized for API key id [X] of user [X]
My Winlogbeat config is as follows:
setup.ilm.check_exists: false
setup.template.settings:
index.number_of_shards: 1
output.elasticsearch:
hosts: ["https://ES1:9200"]
api_key: "${key}"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
monitoring:
enabled: true
cluster_uuid: UjKmT6nUSuxItYO5eHSy3g
elasticsearch:
hosts: ["https://ES1:9200"]
api_key: "${key}"
Note that I am using the same API key for both my monitoring and publishing currently since both are going to the same cluster. API key privileges I used from this doc and are as follows:
{
"name": "winlogbeat_host00001",
"role_descriptors": {
"winlogbeat_monitoring": {
"cluster": ["monitor"],
"index": [
{
"names": [".monitoring-beats-*"],
"privileges": ["create_index", "create"]
}
]
},
"winlogbeat_writer": {
"cluster": ["monitor", "read_ilm"],
"index": [
{
"names": ["winlogbeat-*"],
"privileges": ["view_index_metadata", "create_doc"]
}
]
}
}
}
I'm bound to be missing something silly. Anyone have any ideas?? Thank you!