IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Configure Winlogbeat to use X-Pack security Configure authentication credentials »

› › ›

Grant users access to secured resources

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Grant users access to secured resources

edit

You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.

Typically you need the create the following separate roles:

setup role for setting up index templates and other dependencies
monitoring role for sending monitoring information
writer role for publishing events collected by Winlogbeat
reader role for Kibana users who need to view and create visualizations that access Winlogbeat data

X-Pack security provides built-in roles that grant a subset of the privileges needed by Winlogbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.

Grant privileges and roles needed for setup

edit

Setting up Winlogbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a less restrictive role for event publishing.

Administrators who set up Winlogbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.

To grant users the required privileges:

Create a setup role, called something like winlogbeat_setup, that has the following privileges:

Privileges	Why needed?
`monitor`	Send monitoring data to the cluster
`manage_ilm`	Set up and manage index lifecycle management (ILM) policy
`manage` on `winlogbeat-*` indices	Set up aliases used by ILM

Omit any privileges that aren’t relevant in your environment.

These instructions assume that you are using the default name for Winlogbeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.

Assign the setup role, along with the following built-in roles, to users who need to set up Winlogbeat:

Roles Why needed?

kibana_user

Load dependencies, such as example dashboards, if available, into Kibana

ingest_admin

Set up index templates and, if available, ingest pipelines

Omit any roles that aren’t relevant in your environment.

Roles	Why needed?
`kibana_user`	Load dependencies, such as example dashboards, if available, into Kibana
`ingest_admin`	Set up index templates and, if available, ingest pipelines

Grant privileges and roles needed for monitoring

edit

X-Pack security provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

Internal collection

edit

For internal collection, X-Pack security provides the winlogbeat_system built-in user and winlogbeat_system built-in role for sending monitoring information. You can use the built-in user, or create a user who has the privileges needed to send monitoring information.

If you use the winlogbeat_system user, make sure you set the password.

If you don’t use the winlogbeat_system user:

Create a monitoring role, called something like winlogbeat_monitoring, that has the following privileges:

Privileges Why needed?

monitor

Send monitoring info

kibana_user

Use Kibana
Assign the monitoring role, along with the following built-in role, to users who need to monitor Winlogbeat:

Role Why needed?

monitoring_user

Use Stack Monitoring in Kibana to monitor Winlogbeat

Metricbeat collection

edit

For Metricbeat collection, X-Pack security provides the remote_monitoring_user built-in user, and the remote_monitoring_collector and remote_monitoring_agent built-in roles for collecting and sending monitoring information. You can use the built-in user, or create a user who has the privileges needed to collect and send monitoring information.

If you use the remote_monitoring_user user, make sure you set the password.

If you don’t use the remote_monitoring_user user:

Create a user on the production cluster who will collect and send monitoring information.
Assign the following roles to the user:

Role Why needed?

remote_monitoring_collector

Collect monitoring metrics from Winlogbeat

remote_monitoring_agent

Send monitoring data to the monitoring cluster
Assign the following role to users who will view the monitoring data in Kibana:

Role	Why needed?
`remote_monitoring_collector`	Collect monitoring metrics from Winlogbeat
`remote_monitoring_agent`	Send monitoring data to the monitoring cluster

Role	Why needed?
`monitoring_user`	Use Stack Monitoring in Kibana to monitor Winlogbeat

Grant privileges and roles needed for publishing

edit

Users who publish events to Elasticsearch need to create and read from Winlogbeat indices. To minimize the privileges required by the writer role, you can use the setup role to pre-load dependencies. Then turn off setup options in the Winlogbeat config file before running Winlogbeat to publish events. For example:

setup.template.enabled: false
setup.ilm.check_exists: false
setup.ilm.overwrite: false

Omit ilm.check_exists and ilm.overwrite if ILM is disabled.

To grant the required privileges:

Create a writer role, called something like winlogbeat_writer, that has the following privileges (this list assumes the setup options shown earlier are set to false):

Privileges	Why needed?
`monitor`	Send monitoring info
`read_ilm`	Read the ILM policy when connecting to clusters that support ILM
`view_index_metadata` on `winlogbeat-*` indices	Check for alias when connecting to clusters that support ILM
`index` on `winlogbeat-*` indices	Index events into Elasticsearch
`create_index` on `winlogbeat-*` indices	Create daily indices when connecting to clusters that do not support ILM

Omit any privileges that aren’t relevant in your environment.

Assign the writer role to users who will index events into Elasticsearch.

Grant privileges and roles needed to read Winlogbeat data

edit

Kibana users typically need to view dashboards and visualizations that contain Winlogbeat data. These users might also need to create and edit dashboards and visualizations.

To grant users the required privileges:

Create a reader role, called something like winlogbeat_reader, that has the following privilege:

Privilege Why needed?

read on winlogbeat-* indices

Read data indexed by Winlogbeat
Assign the reader role, along with the following built-in roles, to users who need to read Winlogbeat data:

Roles Why needed?

kibana_user or kibana_dashboard_only_user

Use Kibana. kibana_dashboard_only_user grants read-only access to dashboards.

Omit any roles that aren’t relevant in your environment.

Privilege	Why needed?
`read` on `winlogbeat-*` indices	Read data indexed by Winlogbeat

Roles	Why needed?
`kibana_user` or `kibana_dashboard_only_user`	Use Kibana. `kibana_dashboard_only_user` grants read-only access to dashboards.

Learn more about users and roles

edit

Want to learn more about creating users and roles? See Securing the Elastic Stack. Also see:

Security privileges for a description of available privileges
Built-in roles for a description of roles that you can assign to users

« Configure Winlogbeat to use X-Pack security Configure authentication credentials »