Hi
I am trying to use index lifesycle management with default logstash user but we are getting error becuase logstash doesn’t have manage_ilm permisson. (Configuring Security in Logstash | Logstash Reference [6.7] | Elastic )
How can I add this permisson to Search Guard Role: sg_logstash?
I couldn’t find such permission in dropbox.
logstash config:
ilm_enabled => true
ilm_rollover_alias => “iis-iislog”
ilm_pattern => “000001”
ilm_policy => “general-policy”
template_name => “iis-iislog”
hosts => [“https://hostname1:9200 ”, “https://hostname2:9200 "”]
user => “logstash”
password => “logstash”
ssl => true
cacert => “/etc/logstash/ssl/root-ca.pem”
ssl_certificate_verification => true
searchguard-info|690x277
Thanks!
We will add a new built-in role for ILM in the next release.
@cstaley Could you comment on the workaround until we have this released? Thx!
hsaly
May 13, 2019, 7:40pm
5
Try
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- "indices:admin/template/*"
- "indices:admin/ilm/*"
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
indices:
'logstash-*':
'*':
- CRUD
- CREATE_INDEX
- MANAGE
'*beat*':
'*':
- CRUD
- CREATE_INDEX
- MANAGE
Hi,
Thanks for the suggestion.
I tried but got a failure message on logstash startup.
[2019-05-14T08:04:39,602][FATAL][logstash.runner ] An unexpected error occurred! {:error=>#<LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError: LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError>, :backtrace=>[“/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:291:in
perform_request_to_url’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:278:in block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:373:in
with_connection’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:277:in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:285:in
block in Pool’”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:341:in exists?'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:386:in
ilm_policy_exists?'”, “/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/ilm.rb:33:in verify_ilm_readiness'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.3.2-java/lib/logstash/outputs/elasticsearch/common.rb:50:in
block in setup_after_successful_connection’”]}
# For logstash and beats
sg_logstash:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- "indices:admin/template/*"
- "indices:admin/ilm/*"
- cluster:admin/ingest/pipeline/put
- cluster:admin/ingest/pipeline/get
indices:
'*':
'*':
- CRUD
- CREATE_INDEX
- MANAGE
I tested this with ES/SG V7, but it should also work with V6. Not that if you use any index other than the regular logstash and beats indices, you need to grant the permissions also to these indices. I have inserted a '<your index pattern>'
placeholder in the configs:
Logstash ILM role V7 config:
sg_logstash_ilm:
cluster_permissions:
- SGS_CLUSTER_MONITOR
- SGS_CLUSTER_COMPOSITE_OPS
- 'indices:admin/template/*'
- 'cluster:admin/ingest/pipeline/put'
- 'cluster:admin/ingest/pipeline/'
- 'cluster:admin/ilm/*'
index_permissions:
- index_patterns:
- 'logstash-*'
- '*beat*'
- '<your index pattern>'
allowed_actions:
- SGS_CRUD
- SGS_MANAGE
- "indices:admin/ilm/*"
V6 style config:
sg_logstash_ilm:
cluster:
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
- "indices:admin/template/*"
- "cluster:admin/ingest/pipeline/put"
- "cluster:admin/ingest/pipeline/"
- "cluster:admin/ilm/*"
indices:
'logstash-*':
'*':
- CRUD
- MANAGE
- "indices:admin/ilm/*"
'*beat*':
'*':
- CRUD
- MANAGE
- "indices:admin/ilm/*"
'<your index pattern>':
'*':
- CRUD
- MANAGE
- "indices:admin/ilm/*"
So for example, if you use an index alias in your ILM logstash config like:
ilm_rollover_alias => "iis-iislog"
You need to add this index pattern to the role definition as well.
system
Closed
June 21, 2019, 10:41am
9
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.