[Docs] Corrections needed for winlogbeat role privileges

[rseldner]

Similar to this filebeat issue: #35612

The documentation for a winlogbeat_writer role appears to be missing required privileges:

• read_pipeline (cluster)
• manage(index)

The Create an API key for publishing is also missing manage index privilege

API to create a role per the documentation

PUT _security/role/winlogbeat_writer
{
    "cluster": [
      "monitor",
      "read_ilm"
    ],
    "indices": [
      {
        "names": [
          "winlogbeat-*"
        ],
        "privileges": [
          "create_doc"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        }
      }
    ]
  }

Error without read_pipeline
Beats log
{"log.level":"error","@timestamp":"2024-04-10T12:13:15.317-0700","log.logger":"publisher_pipeline_output","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run","file.name":"pipeline/client_worker.go","file.line":148},"message":"Failed to connect to backoff(elasticsearch(https://redacted.cloud.es.io:443)): Connection marked as failed because the onConnect callback failed: 1 error: error loading pipeline winlogbeat-8.13.2-powershell: couldn't load pipeline: couldn't load json. Error: 403 Forbidden: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"},"status":403}. Response body: {"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"}],"type":"security_exception","reason":"action [cluster:admin/ingest/pipeline/put] is unauthorized for user [winlogbeat_write_user] with effective roles [winlogbeat_writer], this action is granted by the cluster privileges [manage_ingest_pipelines,manage_pipeline,manage,all]"},"status":403}","service.name":"winlogbeat","ecs.version":"1.6.0"}


Without manage index privilege

beat log is not too explicit
{"log.level":"warn","@timestamp":"2024-04-10T12:14:33.076-0700","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).bulkCollectPublishFails","file.name":"elasticsearch/client.go","file.line":454},"message":"Cannot index event (status=403): dropping event! Enable debug logs to view the event and cause.","service.name":"winlogbeat","ecs.version":"1.6.0"}


But in elasticearch audit we can see...

{"type": "audit", "timestamp":"2024-04-10T19:23:01,382+0000", "cluster.uuid":"redacted", "node.id":"redacted", "event.type":"transport", "event.action":"access_denied", "authentication.type":"REALM", "user.name":"winlogbeat_write_user", "user.realm":"native", "user.roles":["winlogbeat_writer"], "origin.type":"rest", "origin.address":"redacted", "request.id":"N5vMAjAJQFeHb1Cvxwq5_A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest", "x_forwarded_for":"redacted"}


winlogbeat.yml

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
setup.kibana:
  host: "https://[redacted-kb].cloud.es.io:443"
output.elasticsearch:
  hosts: ["[redacted-es].cloud.es.io:443"]
  protocol: "https"
  username: winlogbeat_write_user
  password: [redacted]
setup.ilm.check_exists: false
setup.ilm.enabled: false
setup.ilm.overwrite: false
setup.template.overwrite: false
setup.template.enabled: false
setup.dashboards.enabled: false
winlogbeat.overwrite_pipelines: false
logging.level: warning

[herrBez]

Hi I opened this to fix the issue #38534 . Could please provide a feedback on the suggested fix? Am I missing something?

[herrBez]

P.S. While the read_pipeline is correct. The manage one is not actually needed if you follow the documentation and you do a separate winlogbeat setup. The writer should be only able to read the pipeline

[herrBez]

#38534 has been merged. I'll close the issue. Feel free to reopen it.