Hello Search Guard team,
I configure Logstash to read logs from RabbitMQ and send to Elasticsearch.
- Search Guard and Elasticsearch version and Logstash version
24.1, 6.6.0 and 5.5
- Installed and used enterprise modules, if any
No
- JVM version and operating system version
1.8
- Search Guard configuration files
In the attached files, and I configured more on Kibana UI.
sg_logstash config
{
“cluster”: [
“CLUSTER_MONITOR”,
“CLUSTER_COMPOSITE_OPS”,
“indices:admin/template/get”,
“indices:admin/template/put”,
“cluster:admin/ingest/pipeline/get”,
“cluster:admin/ingest/pipeline/put”,
“indices:admin/create”
],
“indices”: {
“logstash-*”: {
“*”: [
“CRUD”,
“CREATE_INDEX”
]
},
“a[0-9]{6}-events-*”: {
“*”: [
“CRUD”,
“CREATE_INDEX”,
“indices:admin/create”
]
},
“beat”: {
“*”: [
“CRUD”,
“CREATE_INDEX”
]
}
},
“tenants”: {}
}
``
- Logstash configuration
elasticsearch {
hosts => [“host1:9200”,“host2.81:9200”]
flush_size => 4000
index => “a%{application_id}-events-%{+YYYY.MM.dd}”
document_type => “%{type}”
document_id => “%{fingerprint}”
ssl => true
cacert => “/tmp/intermediate-ca.pem”
user => “logstash”
password => “logstash”
}
``
- Elasticsearch log messages on debug level
[2019-03-21T03:46:07,555][INFO ][c.f.s.p.PrivilegesEvaluator] [host1-ingest-node-0]No index-level perm match for User [name=logstash, roles=[logstash], requestedTenant=null] Resolved [aliases=, indices=[a200067-events-2019.03.18], allIndices=[a200067-events-2019.03.18], types=[*], isAll()=false, isEmpty()=false] [Action [indices:admin/create]] [RolesChecked [sg_logstash, sg_own_index]]
[2019-03-21T03:46:07,555][INFO ][c.f.s.p.PrivilegesEvaluator] [host1-ingest-node-0]No permissions for [indices:admin/create]
``
- Other installed Elasticsearch or Kibana plugins, if any
No
sg_action_groups.yml (2.27 KB)
sg_config.yml (9.4 KB)
sg_internal_users.yml (1.05 KB)
sg_roles_mapping.yml (548 Bytes)
sg_roles.yml (6.96 KB)