Grant users access to Packetbeat indicesedit

To enable users to access the indices Packetbeat creates, grant them read and view_index_metadata privileges on the Packetbeat indices. If they’re using Kibana, they also need the kibana_user role.

  1. Create a reader role that has the read and view_index_metadata privileges on the Packetbeat indices.

    You can create roles from the Management > Roles UI in Kibana or through the role API. For example, the following request creates a role named packetbeat_reader:

    POST _xpack/security/role/packetbeat_reader
    {
      "indices": [
        {
          "names": [ "packetbeat-*" ], 
          "privileges": ["read","view_index_metadata"]
        }
      ]
    }

    If you use a custom Packetbeat index pattern, specify that pattern instead of the default packetbeat-* pattern.

  2. Assign your users the reader role so they can access the Packetbeat indices. For Kibana users who need to visualize the data, also assign the kibana_user role:

    1. If you’re using the native realm, you can assign roles with the Management > Users UI in Kibana or through the user API. For example, the following request grants packetbeat_user the packetbeat_reader and kibana_user roles:

      POST /_xpack/security/user/packetbeat_user
      {
        "password" : "YOUR_PASSWORD",
        "roles" : [ "packetbeat_reader","kibana_user"],
        "full_name" : "Packetbeat User"
      }
    2. If you’re using the LDAP, Active Directory, or PKI realms, you assign the roles in the role_mapping.yml configuration file. For example, the following snippet grants Packetbeat User the packetbeat_reader and kibana_user roles:

      packetbeat_reader:
        - "cn=Packetbeat User,dc=example,dc=com"
      kibana_user:
        - "cn=Packetbeat User,dc=example,dc=com"

      For more information, see Using Role Mapping Files.