filebeat to elasticsearch occur ingest node error

原因: filebeat 執行時，有可能會出現以下錯誤訊息

2020–10–15T09:41:21.175Z ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(http://10.242.136.248:9200)): Connection marked as failed because the onConnect callback failed: 1 error: Error loading pipeline for fileset elasticsearch/deprecation: couldn’t load pipeline: couldn’t load json. Error: 403 Forbidden: {“error”:{“root_cause”:[{“type”:”security_exception”,”reason”:”action [cluster:admin/ingest/pipeline/put] is unauthorized for user [user_a]”}],”type”:”security_exception”,”reason”:”action [cluster:admin/ingest/pipeline/put] is unauthorized for user [user_a]”},”status”:403}. Response body: {“error”:{“root_cause”:[{“type”:”security_exception”,”reason”:”action [cluster:admin/ingest/pipeline/put] is unauthorized for user [user_a]”}],”type”:”security_exception”,”reason”:”action [cluster:admin/ingest/pipeline/put] is unauthorized for user [user_a]”},”status”:403}

JSON展開後，大該可以找到幾個關鍵字:

Error loading pipeline for fileset elasticsearch/deprecation: couldn't load pipeline
...
"reason": "action [cluster:admin/ingest/pipeline/put] is unauthorized for user [user_a]"
...
”status”:403

上網餵狗後，得知要在 Elasticsearch Cluster privileges 加上 manage_ingest_pipeline才不會出錯!

看社區討論，好像是 filebeat 才會遇到這個問題，有可能跟 manage_ilm有關，不過目前還沒有elasticsearch的官方回應就是~

ref:

Security error with beats_system account and Filebeat with system module

Beats: Proposals For More Restrictive Privileges · Issue #10241 · elastic/beats

GrokDebugger: [security_exception] action [cluster:admin/ingest/pipeline/simulate] is unauthorized…