Configure Packetbeat to use X-Pack securityedit

If you want Packetbeat to connect to a cluster that has X-Pack security enabled, there are extra configuration steps:

  1. Configure authentication credentials.

    To send data to a secured cluster through the elasticsearch output, Packetbeat needs to authenticate as a user who can manage index templates, monitor the cluster, create indices, and read and write to the indices it creates.

  2. Grant users access to Packetbeat indices.

    To search the indexed Packetbeat data and visualize it in Kibana, users need access to the indices Packetbeat creates.

  3. Configure Packetbeat to use encrypted connections.

    If encryption is enabled on the cluster, you need to enable HTTPS in the Packetbeat configuration.

  4. Set the password for the beats_system built-in user.

    Packetbeat uses the beats_system user to send monitoring data to Elasticsearch. If you plan to monitor Packetbeat in Kibana and have not yet set up the password, set it up now.

For more information about X-Pack security, see Securing the Elastic Stack.

Packetbeat features that require authorizationedit

After securing Packetbeat, make sure your users have the roles (or associated privileges) required to use these Packetbeat features. You must create the packetbeat_writer and packetbeat_reader roles (see Configure authentication credentials and Grant users access to Packetbeat indices). The machine_learning_admin and kibana_user roles are built-in.

Feature Role

Send data to a secured cluster


Load index templates

packetbeat_writer and kibana_user

Load Packetbeat dashboards into Kibana

packetbeat_writer and kibana_user

Load machine learning jobs


Read indices created by Packetbeat


View Packetbeat dashboards in Kibana