Configure Auditbeat to use X-Pack securityedit

If you want Auditbeat to connect to a cluster that has X-Pack security enabled, there are extra configuration steps:

  1. Configure authentication credentials.

    To send data to a secured cluster through the elasticsearch output, Auditbeat needs to authenticate as a user who can manage index templates, monitor the cluster, create indices, and read and write to the indices it creates.

  2. Grant users access to Auditbeat indices.

    To search the indexed Auditbeat data and visualize it in Kibana, users need access to the indices Auditbeat creates.

  3. Configure Auditbeat to use encrypted connections.

    If encryption is enabled on the cluster, you need to enable HTTPS in the Auditbeat configuration.

  4. Set the password for the built-in monitoring user.

    Auditbeat uses the beats_system user to send monitoring data to Elasticsearch. If you plan to monitor Auditbeat in Kibana and have not yet set up the password, set it up now.

For more information about X-Pack security, see Securing the Elastic Stack.

Auditbeat features that require authorizationedit

After securing Auditbeat, make sure your users have the roles (or associated privileges) required to use these Auditbeat features. You must create the auditbeat_writer and auditbeat_reader roles (see Configure authentication credentials and Grant users access to Auditbeat indices). The other roles are built-in.

Feature Role

Send data to a secured cluster

auditbeat_writer

Load index templates

auditbeat_writer and kibana_user

Load Auditbeat dashboards into Kibana

auditbeat_writer and kibana_user

Load machine learning jobs

machine_learning_admin

Read indices created by Auditbeat

auditbeat_reader

View Auditbeat dashboards in Kibana

kibana_user