Elasticsearch and Search Guard version : 6.3.2
Entreprise Module : Disabled
JVM Version : 1.8.0_111
Operating System : Debian 9
I have SeachGuard with Kibana and Elasticsearch (No Logstash).
I also have a winlogbeat agent which do not send anything to my Elasticsearch.
I put this into my winlogbeat file :
As i said before, i didn’t get any entry on kibana discovery.
Can you help me please ?
I think you are not using the correct user for running Beats. You have configured:
The kibanaserver user is only useful for running Kibana.
What you need is a user that has permissions to write to the index that Beats is using. We have just recently published an article about ingestion with Beats and logstash, this should explain the required steps:
Thank you for your reply.
I have tested with the admin account when it ask for Kibana output and elasticsearch output and it works great !
However is there a more suitable account for this task ? I don’t use Logstash so is there an account without “logstash” ?
There is no built-in role for a “Beats only” user. However, the setup is pretty straight forward and you can use the sg_logstash role as a template. Just remove all permissions for the logstash indices and leave everything else in place, like:
The create a user and map it to the sg_beats role via the roles mapping.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.