Grant users access to secured resourcesedit

You can use role-based access control to grant users access to secured resources. The roles that you set up depend on your organization’s security requirements and the minimum privileges required to use specific features.

Journalbeat users typically perform these main roles: they do the initial setup, publish monitoring information, and publish events. If they’re using Kibana, they view and sometimes create visualizations that access Journalbeat indices.

X-Pack security provides pre-built roles that grant some of the privileges needed by Journalbeat users. When possible, use the built-in roles to minimize the affect of future changes on your security strategy.

For privileges not granted by existing roles, create new roles. At a minimum, create a role for setting up Journalbeat, a role for publishing events, and a role for reading Journalbeat indices. Assign these new roles, along with the pre-built roles, to grant the full set of privileges required by Journalbeat users.

The following sections describe the privileges and roles required to perform specific job roles.

Privileges needed for initial setupedit

Users who set up Journalbeat typically need to load mappings, dashboards, and other objects used to index data into Elasticsearch and visualize it in Kibana. The privileges required depend on the setup tasks users need to perform.

These instructions assume that you are using the default name for Journalbeat indices. If you are using a custom name, modify the privileges to match your index naming pattern.

Task Required privileges and roles

Set up index templates

manage_index_templates and monitor on cluster

manage_ilm on cluster (if cluster supports index lifecycle management)

manage on journalbeat-* indices (if cluster supports index lifecycle management)

Set up index lifecycle policies

manage_ilm, manage_index_templates, and monitor on cluster

manage on journalbeat-* indices

Privileges needed to publish and view monitoring informationedit

X-Pack security provides the journalbeat_system built-in user and journalbeat_system built-in role for sending monitoring information. You can use the built-in user, or create a user who has the privileges needed to send monitoring information. If you use the journalbeat_system user, make sure you set the password.

Task Required privileges and roles

Send monitoring info

monitor on cluster

Use Stack Monitoring in Kibana to monitor Journalbeat

monitoring_user and kibana_user roles

Privileges needed to publish eventsedit

Users who publish events to Elasticsearch need to create and read from Journalbeat indices. The privileges required for this role depend on the tasks users need to perform:

Task Required privileges and roles

Send data to a secured cluster without index lifecycle management

monitor on cluster

create_index and index on journalbeat-* indices

also requires privileges to set up index templates unless you’ve disabled automatic template loading

Send data to a secured cluster that supports index lifecycle management

manage_index_templates,manage_ilm [1], and monitor on cluster

index and manage on journalbeat-* indices

Privileges needed by Kibana usersedit

Kibana users typically need to view dashboards and visualizations that contain Journalbeat data. These users might also need to create and edit dashboards and visualizations.

The privileges required for Kibana users depend on the tasks they need to perform:

Task Required privileges and roles

View Journalbeat dashboards

read on journalbeat-* indices

kibana_dashboard_only_user role

View and edit Journalbeat dashboards

read on journalbeat-* indices

kibana_user role

Learn more about users and rolesedit

Want to learn more about creating users and roles? See Securing the Elastic Stack. Also see:

[1] Use read_ilm instead of manage_ilm if you pre-loaded the lifecycle policy