Grant privileges and roles needed for monitoringedit

This documentation refers to configuring the standalone (legacy) APM Server. This method of running APM Server will be deprecated and removed in a future release. Please consider upgrading to Fleet and the APM integration.

Elasticsearch security features provides built-in users and roles for publishing and viewing monitoring data. The privileges and roles needed to publish monitoring data depend on the method used to collect that data.

Publish monitoring dataedit

Elastic Cloud users: This section does not apply to our hosted Elasticsearch Service. Monitoring on Elastic Cloud is enabled by clicking the Enable button in the Monitoring panel.

Internal collectionedit

If you’re using internal collection to collect metrics about APM Server, security features provides the apm_system built-in user and apm_system built-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the built-in role assigned, or create a user and manually assign the privileges needed to send monitoring information.

If you use the built-in apm_system user, make sure you set the password before using it.

If you don’t use the apm_system user:

  1. Create a monitoring role, called something like apm_monitoring_writer, that has the following privileges:

    Type Privilege Purpose

    Index

    create_index on .monitoring-beats-* indices

    Create monitoring indices in Elasticsearch

    Index

    create_doc on .monitoring-beats-* indices

    Write monitoring events into Elasticsearch

  2. Assign the monitoring role to users who need to write monitoring data to Elasticsearch.
Metricbeat collectionedit

When using Metricbeat to collect metrics, no roles or users need to be created with APM Server. See Use Metricbeat collection for complete details on setting up Metricbeat collection.

If you’re using Metricbeat to collect metrics about APM Server, security features provides the remote_monitoring_user built-in user, and the remote_monitoring_collector and remote_monitoring_agent built-in roles for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.

If you use the built-in remote_monitoring_user user, make sure you set the password before using it.

If you don’t use the remote_monitoring_user user:

  1. Create a monitoring user on the production cluster who will collect and send monitoring information. Assign the following roles to the monitoring user:

    Role Purpose

    remote_monitoring_collector

    Collect monitoring metrics from APM Server

    remote_monitoring_agent

    Send monitoring data to the monitoring cluster

View monitoring dataedit

To grant users the required privileges for viewing monitoring data:

  1. Create a monitoring role, called something like apm_monitoring_viewer, that has the following privileges:

    Type Privilege Purpose

    Spaces

    Read on Stack monitoring

    Read-only access to the Stack Monitoring feature in Kibana.

    Spaces

    Read on Dashboards

    Read-only access to the Dashboards feature in Kibana.

  2. Assign the monitoring role, along with the following built-in roles, to users who need to view monitoring data for APM Server:

    Role Purpose

    monitoring_user

    Grants access to monitoring indices for APM Server