Winlogbeat API Key Permissions

Coinology · September 14, 2020, 6:53pm

I've resolved this. I'm not sure exactly where the issue was, but this is what I did:

Removed setup.ilm.check_exists: false from Winlogbeat.yml
Added setup.ilm.rollover_alias: "winlogbeat" to Winlogbeat.yml
Re-ran .\winlogbeat.exe setup -e
Adjusted my API key publishing role to point to winlogbeat* index rather than winlogbeat-* (needed for "winlogbeat" rollover_alias)
Changed create privilege on monitoring role to create_doc (I don't believe this did anything for this particular issue, but I noticed there was a conflict between this doc and this doc - I changed it to match the latter since it seems more restrictive)

I'm pretty sure I had ILM misconfigured with setup.ilm.check_exists set to false, although I'm not 100%. The docs aren't very clear.

Topic		Replies	Views
Problems getting logs in with winlogbeat Beats winlogbeat	11	1397	May 11, 2022
Filebeat doesn't publish logs without "write" permission on index Beats elastic-stack-security , filebeat	6	818	May 3, 2023
Events get dropped by restricting api key (winlogbeat & kibana) - Help plz Beats winlogbeat	6	547	June 27, 2023
Unable to get winlogbeat to send to logstash Beats winlogbeat	29	5947	May 25, 2017
Winlogbeat authorization error on AWS ELK Beats winlogbeat	15	892	September 17, 2021