Grant privileges and roles needed for monitoring

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Grant privileges and roles needed for monitoring

Elasticsearch security features provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

Important note for Elastic Cloud users

Built-in users are not available when running our hosted Elasticsearch Service on Elastic Cloud. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.

If you’re using internal collection to collect metrics about Functionbeat, Elasticsearch security features provides the beats_system built-in user and beats_system built-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.

If you use the beats_system user, make sure you set the password.

If you don’t use the beats_system user:

Create a monitoring role, called something like functionbeat_monitoring, that has the following privileges:

Type	Privilege	Purpose
Cluster	`monitor`	Retrieve cluster details (e.g. version)
Index	`create_index` on `.monitoring-beats-*` indices	Create monitoring indices in Elasticsearch
Index	`create_doc` on `.monitoring-beats-*` indices	Write monitoring events into Elasticsearch

Assign the monitoring role, along with the following built-in roles, to users who need to monitor Functionbeat:

Role Purpose

kibana_user

Use Kibana

monitoring_user

Use Stack Monitoring in Kibana to monitor Functionbeat

Role	Purpose
`kibana_user`	Use Kibana
`monitoring_user`	Use Stack Monitoring in Kibana to monitor Functionbeat

« Grant privileges and roles needed for setup Grant privileges and roles needed for publishing »