Setting up Auditbeat is an admin-level task that requires extra privileges. As a best practice, grant the setup role to administrators only, and use a more restrictive role for event publishing.
Administrators who set up Auditbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana.
To grant users the required privileges:
Create a setup role, called something like
auditbeat_setup, that has the following privileges:
Type Privilege Purpose
Retrieve cluster details (e.g. version)
Set up and manage index lifecycle management (ILM) policy
Set up aliases used by ILM
Write Auditbeat indices in order to index, update, and delete documents
Omit any privileges that aren’t relevant in your environment.
These instructions assume that you are using the default name for Auditbeat indices. If
auditbeat-*is not listed, or you are using a custom name, enter it manually and modify the privileges to match your index naming pattern.
Assign the setup role, along with the following built-in roles, to users who need to set up Auditbeat:
Load dependencies, such as example dashboards, if available, into Kibana
Set up index templates and, if available, ingest pipelines
Omit any roles that aren’t relevant in your environment.