IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Configure Auditbeat to use security features Grant access using API keys »
Elastic Docs Auditbeat Reference [7.7] Secure Auditbeat Configure Auditbeat to use security features

Grant users access to secured resources

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Grant users access to secured resources

edit

You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.

Typically you need the create the following separate roles:

  • setup role for setting up index templates and other dependencies
  • monitoring role for sending monitoring information
  • writer role for publishing events collected by Auditbeat
  • reader role for Kibana users who need to view and create visualizations that access Auditbeat data

X-Pack security provides built-in roles that grant a subset of the privileges needed by Auditbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.

Grant privileges and roles needed for setup

edit

Setting up Auditbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.

Administrators who set up Auditbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.

To grant users the required privileges:

  1. Create a setup role, called something like auditbeat_setup, that has the following privileges:

    Type Privilege Purpose

    Cluster

    monitor

    Retrieve cluster details (e.g. version)

    Cluster

    manage_ilm

    Set up and manage index lifecycle management (ILM) policy

    Index

    manage on auditbeat-* indices

    Set up aliases used by ILM

    Omit any privileges that aren’t relevant in your environment.

    These instructions assume that you are using the default name for Auditbeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.

  2. Assign the setup role, along with the following built-in roles, to users who need to set up Auditbeat:

    Role Purpose

    kibana_admin

    Load dependencies, such as example dashboards, if available, into Kibana

    ingest_admin

    Set up index templates and, if available, ingest pipelines

    Omit any roles that aren’t relevant in your environment.

Grant privileges and roles needed for monitoring

edit

X-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

Important note for Elastic Cloud users

Built-in users are not available when running our hosted Elasticsearch Service on Elastic Cloud. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.

  • If you’re using internal collection to collect metrics about Auditbeat, X-Pack security provides the beats_system built-in user and beats_system built-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.

    If you use the beats_system user, make sure you set the password.

    If you don’t use the beats_system user:

    1. Create a monitoring role, called something like auditbeat_monitoring, that has the following privileges:

      Type Privilege Purpose

      Cluster

      monitor

      Retrieve cluster details (e.g. version)

      Index

      create_index on .monitoring-beats-* indices

      Create monitoring indices in Elasticsearch

      Index

      create_doc on .monitoring-beats-* indices

      Write monitoring events into Elasticsearch

    2. Assign the monitoring role, along with the following built-in roles, to users who need to monitor Auditbeat:

      Role Purpose

      kibana_user

      Use Kibana

      monitoring_user

      Use Stack Monitoring in Kibana to monitor Auditbeat

  • If you’re using Metricbeat to collect metrics about Auditbeat, X-Pack security provides the remote_monitoring_user built-in user, and the remote_monitoring_collector and remote_monitoring_agent built-in roles for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.

    If you use the remote_monitoring_user user, make sure you set the password.

    If you don’t use the remote_monitoring_user user:

    1. Create a user on the production cluster who will collect and send monitoring information.

    2. Assign the following roles to the user:

      Role Purpose

      remote_monitoring_collector

      Collect monitoring metrics from Auditbeat

      remote_monitoring_agent

      Send monitoring data to the monitoring cluster

    3. Assign the following role to users who will view the monitoring data in Kibana:

      Role Purpose

      monitoring_user

      Use Stack Monitoring in Kibana to monitor Auditbeat

Grant privileges and roles needed for publishing

edit

Users who publish events to Elasticsearch need to create and write to Auditbeat indices. To minimize the privileges required by the writer role, use the setup role to pre-load dependencies. This section assumes that you’ve pre-loaded dependencies.

When using ILM, turn off the ILM setup check in the Auditbeat config file before running Auditbeat to publish events:

setup.ilm.check_exists: false

To grant the required privileges:

  1. Create a writer role, called something like auditbeat_writer, that has the following privileges:

    The monitor cluster privilege and the create_doc privilege on auditbeat-* indices are required in every configuration.

    Type Privilege Purpose

    Cluster

    monitor

    Retrieve cluster details (e.g. version)

    Cluster

    read_ilm

    Read the ILM policy when connecting to clusters that support ILM. Not needed when setup.ilm.check_exists is false.

    Index

    create_doc on auditbeat-* indices

    Write events into Elasticsearch

    Index

    view_index_metadata on auditbeat-* indices

    Check for alias when connecting to clusters that support ILM. Not needed when setup.ilm.check_exists is false.

    Index

    create_index on auditbeat-* indices

    Create daily indices when connecting to clusters that do not support ILM. Not needed when using ILM.

    Omit any privileges that aren’t relevant in your environment.

  2. Assign the writer role to users who will index events into Elasticsearch.

Grant privileges and roles needed to read Auditbeat data from Kibana

edit

Kibana users typically need to view dashboards and visualizations that contain Auditbeat data. These users might also need to create and edit dashboards and visualizations.

To grant users the required privileges:

  1. Create a reader role, called something like auditbeat_reader, that has the following privilege:

    Type Privilege Purpose

    Index

    read on auditbeat-* indices

    Read data indexed by Auditbeat

    Spaces

    Read or All on Dashboards, Visualize, and Discover

    Allow the user to view, edit, and create dashboards, as well as browse data.

  2. Assign the reader role, along with the following built-in roles, to users who need to read Auditbeat data:

    Role Purpose

    monitoring_user

    Allow users to monitor the health of Auditbeat itself. Only assign this role to users who manage Auditbeat.

Learn more about users and roles

edit

Want to learn more about creating users and roles? See Secure a cluster. Also see:

« Configure Auditbeat to use security features Grant access using API keys »