Granting Users Access to Auditbeat Indicesedit

To enable users to access the indices a Auditbeat creates, grant them read and view_index_metadata privileges on the Auditbeat indices:

  1. Create a role that has the read and view_index_metadata privileges for the Auditbeat indices. You can create roles from the Management > Roles UI in Kibana or through the role API. For example, the following request creates a auditbeat_reader role:

    POST _xpack/security/role/auditbeat_reader
      "indices": [
          "names": [ "auditbeat-*" ], 
          "privileges": ["read","view_index_metadata"]

    If you use a custom Auditbeat index pattern, specify that pattern instead of the default auditbeat-* pattern.

  2. Assign your users the reader role so they can access the Auditbeat indices:

    1. If you’re using the native realm, you can assign roles with the Management > Users UI in Kibana or through the user API. For example, the following request grants auditbeat_user the auditbeat_reader role:

      POST /_xpack/security/user/auditbeat_user
        "password" : "x-pack-test-password",
        "roles" : [ "auditbeat_reader"],
        "full_name" : "Auditbeat User"
    2. If you’re using the LDAP, Active Directory, or PKI realms, you assign the roles in the role_mapping.yml configuration file. For example, the following snippet grants Auditbeat User the auditbeat_reader role:

        - "cn=Auditbeat User,dc=example,dc=com"

      For more information, see Using Role Mapping Files.