We only need to append


As Elasticsearch matures over time, they are fixing some of the less obvious stuff. Seemingly little things can be tremendously important though.

One of the new things, that I want to highlight here is the new security privilegie : create_doc. Read about it the Elasticsearch 7.5 release notes.

As Elastic describes it:

With the previous set of index privileges, users that were allowed to index new documents were also allowed to update existing ones.

With the new create_doc, cluster administrators can create a user that is allowed to add new data only. This gives the minimum privileges needed by ingest agents, with no risk that that user can alter and corrupt existing logs. These administrators can (now) rest assured knowing that components that live directly on the machines that they monitor cannot corrupt or hide tracks that are already into the index.

Have a look at the documention as there is one important change, that is needed in the Elasticsearch Logstash output section.

Implementing it

It is very easy to take advantage of this new feature. Create a role called append_writer and assign a user to the new role:

Or if you prefer developer tools

The final to modify is the output section in Logstash. You need to add an action attribute to it:

Of course , the credentials of the append_writer should be kept in secret store of Logstash!


This simple change is trivial to make, but gives great value. You can rest assured, that the user used in Logstash can never be used to change existing documents in your Elastic clusters.

Leave a Reply

Your email address will not be published. Required fields are marked *