Hello,
We were wondering whether it is possible to model a append only (no update/delete/read) role with SG for usage with beats?
By default the SGS_LOGSTASH role grants bulk access, which appears to imply access for all write operations.
The Elastic security model apparently allows for this:
The reason being that we have many VMs with beats, but not everyone with access to a single VM should get full access to the logs of all VMs by reading out the passwords in the /etc/*beat.yml file.
hsaly
November 18, 2019, 4:11pm
2
Thank you for your response hsaly, that looks very promising.
I’ve got a few questions, however:
Is it possible to use wildcards to configure this (e.g. *beat*)? Beats are constantly creating new indices, so are ILM policies (e.g. rollover)
Does this prevent ILMs from working, as they can close and delete indices?
Have you any experience using immutable indices in combination with beats? I’m not sure what API calls the beats require in order to work correctly.
Do I understand correctly, that I can no longer backup these indices as snapshot operations are forbidden?
hsaly
December 4, 2019, 11:28am
4
I’ve got a few questions, however:
Is it possible to use wildcards to configure this (e.g. beat )? Beats are constantly creating new indices, so are ILM policies (e.g. rollover)
Yes, you can use patterns or regex here
Does this prevent ILMs from working, as they can close and delete indices?
Yes that might happen because immutable indices are (yet) defined globally
Have you any experience using immutable indices in combination with beats? I’m not sure what API calls the beats require in order to work correctly.
From our experience this should work
Do I understand correctly, that I can no longer backup these indices as snapshot operations are forbidden?
Backup(=snapshot) should be working well but you can not restore under a name which matches any of the defined immutable indices/patterns
Hi hsaly,
I apoligise I haven’t updated the post this week.
We actually tried it and can confirm that it works, just as you describe.
We have now “push-only” beats.
Thank you for the support!
system
Closed
December 25, 2019, 12:36pm
6
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.