docs/reference/winlogbeat/privileges-to-publish-events.md
Users who publish events to {{es}} need to create and write to Winlogbeat indices. To minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve run the setup.
When using ILM, turn off the ILM setup check in the Winlogbeat config file before running Winlogbeat to publish events:
setup.ilm.check_exists: false
To grant the required privileges:
Create a writer role, called something like winlogbeat_writer, that has the following privileges:
::::{note}
The monitor cluster privilege and the create_doc and auto_configure privileges on winlogbeat-* indices are required in every configuration.
::::
| Type | Privilege | Purpose |
|---|---|---|
| Cluster | monitor | Retrieve cluster details (e.g. version) |
| Cluster | read_ilm | Read the ILM policy when connecting to clusters that support ILM.Not needed when setup.ilm.check_exists is false. |
| Cluster | read_pipeline | Check for ingest pipelines used by Winlogbeat. |
| Index | create_doc on winlogbeat-* indices | Write events into {{es}} |
| Index | auto_configure on winlogbeat-* indices | Update the datastream mapping. Consider either disabling entirely or adding therule -{{beat_default_index_prefix}}-* to the cluster settingsaction.auto_create_indexto prevent unwanted indices creations from the agents. |
Omit any privileges that aren’t relevant in your environment.
Assign the writer role to users who will index events into {{es}}.