Configure Filebeat to use X-Pack security

edit

Configure Filebeat to use X-Pack security

edit

If you want Filebeat to connect to a cluster that has X-Pack security enabled, there are extra configuration steps:

  1. Configure authentication credentials.

    To send data to a secured cluster through the elasticsearch output, Filebeat needs to authenticate as a user who can manage index templates, monitor the cluster, create indices, read and write to the indices it creates, and manage ingest pipelines.

  2. Grant users access to Filebeat indices.

    To search the indexed Filebeat data and visualize it in Kibana, users need access to the indices Filebeat creates.

  3. Configure Filebeat to use encrypted connections.

    If encryption is enabled on the cluster, you need to enable HTTPS in the Filebeat configuration.

  4. Set the password for the built-in monitoring user.

    Filebeat uses the beats_system user to send monitoring data to Elasticsearch. If you plan to monitor Filebeat in Kibana and have not yet set up the password, set it up now.

For more information about X-Pack security, see Securing the Elastic Stack.

Filebeat features that require authorization

edit

After securing Filebeat, make sure your users have the roles (or associated privileges) required to use these Filebeat features. You must create the filebeat_writer and filebeat_reader roles (see Configure authentication credentials and Grant users access to Filebeat indices). The other roles are built-in.

Feature Role

Send data to a secured cluster

filebeat_writer

Run Filebeat modules

filebeat_writer

Load index templates

filebeat_writer and kibana_user

Load Filebeat dashboards into Kibana

filebeat_writer and kibana_user

Load machine learning jobs

machine_learning_admin

Read indices created by Filebeat

filebeat_reader

View Filebeat dashboards in Kibana

kibana_user

Store and manage configurations in a central location in Kibana

beats_admin