Elasticsearch role for Graylog

I’m using native authentication for my Elasticsearch cluster.
I would like to create a user with the least privileges necessary for Graylog to function.
In another post I found:

Graylog needs to be able to create indices and do all housekeeping on them

So I created Elasticsearch role for graylog user as below:

POST _security/role/graylog_user
“indices” : [
“names”: [“graylog_*”,“gl-*”],
“privileges” : [ “all” ]

and assign role to user.
After starting Graylog I can see in logs:

ERROR [Cluster] Couldn’t read cluster health for indices [graylog_*, gl-events_*, gl-system-events_*]

When I assign superuser role to graylog user everything works perfect.
Have graylog user need any other privileges? Which exactly?

Good example is better than 1000 words :grinning:
My user had lacked permission for cluster.
After adding cluster privileges “monitor” and “manage_index_templates” everything works :slightly_smiling_face:

Thank you for help Jan

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.