beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Docs] Corrections needed for winlogbeat role privileges

Open rseldner opened this issue 10 months ago • 0 comments

Similar to this filebeat issue: https://github.com/elastic/beats/issues/35612

The documentation for a winlogbeat_writer role appears to be missing required privileges:

  • read_pipeline (cluster)
  • manage(index)

The Create an API key for publishing is also missing manage index privilege

API to create a role per the documentation 
PUT _security/role/winlogbeat_writer
{
    "cluster": [
      "monitor",
      "read_ilm"
    ],
    "indices": [
      {
        "names": [
          "winlogbeat-*"
        ],
        "privileges": [
          "create_doc"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        }
      }
    ]
  }

Error without read_pipeline Beats log {"log.level":"error","@timestamp":"2024-04-10T12:13:15.317-0700","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":148},"message":"Failed to connect to backoff(elasticsearch(https://redacted.cloud.es.io:443)): Connection marked as failed because the onConnect callback failed: 1 error: error loading pipeline winlogbeat-8.13.2-powershell: couldn't load pipeline: couldn't load json. Error: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"},"status":403}. Response body: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"},"status":403}","service.name":"winlogbeat","ecs.version":"1.6.0"}

Without manage index privilege

beat log is not too explicit {"log.level":"warn","@timestamp":"2024-04-10T12:14:33.076-0700","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).bulkCollectPublishFails","file.name":"elasticsearch/client.go","file.line":454},"message":"Cannot index event (status=403): dropping event! Enable debug logs to view the event and cause.","service.name":"winlogbeat","ecs.version":"1.6.0"}

But in elasticearch audit we can see...

{"type": "audit", "timestamp":"2024-04-10T19:23:01,382+0000", "cluster.uuid":"redacted", "node.id":"redacted", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"winlogbeat_write_user", "user.realm":"native", "user.roles":["winlogbeat_writer"], "origin.type":"rest", "origin.address":"redacted", "request.id":"N5vMAjAJQFeHb1Cvxwq5_A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest", "x_forwarded_for":"redacted"}

winlogbeat.yml 
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
setup.kibana:
  host: "https://[redacted-kb].cloud.es.io:443"
output.elasticsearch:
  hosts: ["[redacted-es].cloud.es.io:443"]
  protocol: "https"
  username: winlogbeat_write_user
  password: [redacted]
setup.ilm.check_exists: false
setup.ilm.enabled: false
setup.ilm.overwrite: false
setup.template.overwrite: false
setup.template.enabled: false
setup.dashboards.enabled: false
winlogbeat.overwrite_pipelines: false
logging.level: warning

rseldner avatar Apr 19 '24 03:04 rseldner