我们在弹性搜索的readonly rest插件时遇到问题:启用插件时我们没有运行logstash。我们使用带有filebeat的logstash。这可能是问题吗? logstash配置如下。 错误消息:
[401] Forbidden {:class=>"Elasticsearch::Transport::Transport::Errors::Unauthorized", :level=>:error}
在elasticsearch中,我们已经定义了角色,如下所示。
readonlyrest:
enable: true
response_if_req_forbidden: <h1>Forbidden</h1>
access_control_rules:
- name: Developer (reads only logstash indices, but can create new charts/dashboards)
auth_key: dev:dev
type: allow
kibana_access: ro+
indices: ["<no-index>", ".kibana*", "logstash*", "default"]
- name: Kibana Server (we trust this server side component, full access granted via HTTP authentication)
auth_key: admin:passwd1
type: allow
- name: "Logstash can write and create its own indices"
auth_key: logstash:logstash
type: allow
actions: ["cluster:*", "indices:data/read/*","indices:data/write/*","indices:admin/*"]
indices: ["logstash*", "filebeat-*", "<no_index>"]
the logstash config:
output{
elasticsearch {
hosts => ["localhost:9200"]
manage_template => true
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
document_id => "%{fingerprint}"
user => ["logstash"]
password => ["logstash"]
}
}
答案 0 :(得分:1)
我相信你没有给logstash提供使用你的设置创建索引的能力。它可以写和读,但我没有看到创建。
从网站示例中,您可以将logstash配置更改为:
- name: "Logstash can write and create its own indices"
auth_key: logstash:logstash
type: allow
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["logstash-*", "<no_index>"]
此设置适用于我。
我不认为它与filebeat有任何关系,因为输出实际上不再与filebeat对话了吗?但话说回来,我正在使用文件输入。
希望能解决问题。
阿图尔