If you want Auditbeat to connect to a cluster that has X-Pack security enabled, there are extra configuration steps:
To send data to a secured cluster through the
elasticsearchoutput, Auditbeat needs to authenticate as a user who can manage index templates, monitor the cluster, create indices, and read and write to the indices it creates.
To search the indexed Auditbeat data and visualize it in Kibana, users need access to the indices Auditbeat creates.
If encryption is enabled on the cluster, you need to enable HTTPS in the Auditbeat configuration.
Auditbeat uses the
beats_systemuser to send monitoring data to Elasticsearch. If you plan to monitor Auditbeat in Kibana and have not yet set up the password, set it up now.
For more information about X-Pack security, see Securing the Elastic Stack.
Auditbeat features that require authorizationedit
After securing Auditbeat, make sure your users have the roles (or associated
privileges) required to use these Auditbeat features. You must create the
auditbeat_reader roles (see Configure authentication credentials and
Grant users access to Auditbeat indices). The
kibana_user roles are
Send data to a secured cluster
Load index templates
Load Auditbeat dashboards into Kibana
Load machine learning jobs
Read indices created by Auditbeat
View Auditbeat dashboards in Kibana