- Packetbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Export GeoIP Information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- packetbeat.reference.yml
- Exported fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DNS fields
- Docker fields
- Flow Event fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
WARNING: Version 6.2 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Configuring Authentication Credentials for Packetbeat
editConfiguring Authentication Credentials for Packetbeat
editWhen sending data to a secured cluster through the elasticsearch
output, Packetbeat must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for Packetbeat:
-
Create a role that has the
manage_index_templatesandmonitorcluster privileges, andread,write, andcreate_indexprivileges for the indices that Packetbeat creates. You can create roles from the Management / Roles UI in Kibana or through theroleAPI. For example, the following request creates apacketbeat_writerrole: -
Assign the writer role to the user that Packetbeat will use to connect to Elasticsearch:
-
To authenticate as a native user, create a user for the Packetbeat to use internally and assign it the writer role. You can create users from the Management / Users UI in Kibana or through the
userAPI. For example, the following request creates apacketbeat_internaluser that has thepacketbeat_writerrole:POST /_xpack/security/user/packetbeat_internal { "password" : "x-pack-test-password", "roles" : [ "packetbeat_writer"], "full_name" : "Internal Packetbeat User" }
-
To authenticate using PKI authentication, assign the writer role to the internal Packetbeat user in the
role_mapping.ymlconfiguration file. Specify the user by the distinguished name that appears in its certificate.packetbeat_writer: - "cn=Internal Packetbeat User,ou=example,o=com"
For more information, see Using Role Mapping Files.
-
-
Configure authentication credentials for the
elasticsearchoutput in the Packetbeat configuration file:-
To use basic authentication, configure the
usernameandpasswordsettings. For example, the following Packetbeat output configuration uses the nativepacketbeat_internaluser to connect to Elasticsearch:output.elasticsearch: hosts: ["localhost:9200"] index: "packetbeat" username: "packetbeat_internal" password: "x-pack-test-password"
-
To use PKI authentication, configure the
certificateandkeysettings:
-