Auditbeat features that require authorizationedit

After securing Auditbeat, make sure your users have the roles (or associated privileges) required to use these Auditbeat features. Note that some of the roles shown here are built-in, and some are user-defined.

Feature Role

Send data to a secured cluster

auditbeat_writer [a]

Load index templates

auditbeat_writer [a] and kibana_user

Load Auditbeat dashboards into Kibana

auditbeat_writer [a] and kibana_user

Load machine learning jobs

machine_learning_admin

Read indices created by Auditbeat

auditbeat_reader [a]

View Auditbeat dashboards in Kibana

kibana_user

Load index lifecycle policies and use index lifecycle management

auditbeat_ilm [a]

[a] These roles are user-defined.

To create the user-defined roles shown here, see Configure authentication credentials and Grant users access to Auditbeat indices. You may want to define additional roles to provide more restrictive access.