Grant privileges and roles needed for monitoring
editGrant privileges and roles needed for monitoring
editThis documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration.
Elasticsearch security features provides built-in users and roles for publishing and viewing monitoring data. The privileges and roles needed to publish monitoring data depend on the method used to collect that data.
Publish monitoring data
editElastic Cloud users: This section does not apply to our hosted Elasticsearch Service. Monitoring on Elastic Cloud is enabled by clicking the Enable button in the Monitoring panel.
Internal collection
editIf you’re using internal collection to
collect metrics about APM Server, security features provides
the apm_system
built-in user and
apm_system
built-in role to send
monitoring information. You can use the built-in user, if it’s available in your
environment, or create a user who has the the built-in role assigned,
or create a user and manually assign the privileges needed to send monitoring
information.
If you use the built-in apm_system
user,
make sure you set the password before using it.
If you don’t use the apm_system
user:
-
Create a monitoring role, called something like
apm_monitoring_writer
, that has the following privileges:Type Privilege Purpose Index
create_index
on.monitoring-beats-*
indicesCreate monitoring indices in Elasticsearch
Index
create_doc
on.monitoring-beats-*
indicesWrite monitoring events into Elasticsearch
- Assign the monitoring role to users who need to write monitoring data to Elasticsearch.
Metricbeat collection
editWhen using Metricbeat to collect metrics, no roles or users need to be created with APM Server. See Use Metricbeat collection for complete details on setting up Metricbeat collection.
If you’re using Metricbeat to collect
metrics about APM Server, security features provides the remote_monitoring_user
built-in user, and the remote_monitoring_collector
and remote_monitoring_agent
built-in roles for
collecting and sending monitoring information. You can use the built-in user, if
it’s available in your environment, or create a user who has the privileges
needed to collect and send monitoring information.
If you use the built-in remote_monitoring_user
user,
make sure you set the password before using it.
If you don’t use the remote_monitoring_user
user:
-
Create a monitoring user on the production cluster who will collect and send monitoring information. Assign the following roles to the monitoring user:
Role Purpose remote_monitoring_collector
Collect monitoring metrics from APM Server
remote_monitoring_agent
Send monitoring data to the monitoring cluster
View monitoring data
editTo grant users the required privileges for viewing monitoring data:
-
Create a monitoring role, called something like
apm_monitoring_viewer
, that has the following privileges:Type Privilege Purpose Spaces
Read
on Stack monitoringRead-only access to the Stack Monitoring feature in Kibana.
Spaces
Read
on DashboardsRead-only access to the Dashboards feature in Kibana.
-
Assign the monitoring role, along with the following built-in roles, to users who need to view monitoring data for APM Server:
Role Purpose monitoring_user
Grants access to monitoring indices for APM Server