diff --git a/libbeat/docs/security/api-keys.asciidoc b/libbeat/docs/security/api-keys.asciidoc index 1a934b67ce8..db068f08782 100644 --- a/libbeat/docs/security/api-keys.asciidoc +++ b/libbeat/docs/security/api-keys.asciidoc @@ -33,7 +33,7 @@ POST /_security/api_key "index": [ { "names": ["{beat_default_index_prefix}-*"], - "privileges": ["view_index_metadata", "create_doc"] + "privileges": ["view_index_metadata", "create_doc", "auto_configure"] } ] } diff --git a/libbeat/docs/security/users.asciidoc b/libbeat/docs/security/users.asciidoc index d6849caf058..846e8bc5937 100644 --- a/libbeat/docs/security/users.asciidoc +++ b/libbeat/docs/security/users.asciidoc @@ -233,8 +233,9 @@ To grant the required privileges: . Create a *writer role*, called something like +{beat_default_index_prefix}_writer+, that has the following privileges: + -NOTE: The `monitor` cluster privilege and the `create_doc` privilege on -+{beat_default_index_prefix}-*+ indices are required in every configuration. +NOTE: The `monitor` cluster privilege and the `create_doc` and `auto_configure` +privileges on +{beat_default_index_prefix}-*+ indices are required in every +configuration. + [options="header"] |==== @@ -259,10 +260,24 @@ ifeval::["{beatname_lc}"=="filebeat"] |Check for ingest pipelines used by modules. Needed when using modules. endif::[] +ifeval::["{beatname_lc}"=="winlogbeat"] +|Cluster +|`read_pipeline` +|Check for ingest pipelines used by {beatname_uc}. +endif::[] + |Index |`create_doc` on +{beat_default_index_prefix}-*+ indices |Write events into {es} + +|Index +|`auto_configure` on +{beat_default_index_prefix}-*+ indices +|Update the datastream mapping. Consider either disabling entirely or adding the +rule `-{beat_default_index_prefix}-*` to the cluster settings +https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#index-creation[action.auto_create_index] +to prevent unwanted indices creations from the agents. |==== + ifndef::apm-server[] + Omit any privileges that aren't relevant in your environment.