Monitoring and Security

X-Pack monitoring consists of two components: an agent that you install on on each Elasticsearch and Logstash node, and a Monitoring UI in Kibana. The monitoring agent collects and indexes metrics from the nodes and you visualize the data through the Monitoring dashboards in Kibana. The agent can index data on the same Elasticsearch cluster, or send it to an external monitoring cluster.

To use X-Pack monitoring with X-Pack security enabled, you need to set up Kibana to work with X-Pack security and create at least one user for the Monitoring UI. If you are using an external monitoring cluster, you also need to configure a user for the monitoring agent and configure the agent to use the appropriate credentials when communicating with the monitoring cluster.

Setting Up Monitoring UI Users

When X-Pack security is enabled, Kibana users are prompted to log in when they access the UI. To use the Monitoring UI, a user must have access to the Kibana indices and permission to read from the monitoring indices.

You set up Monitoring UI users on the cluster where the monitoring data is being stored. To grant all of the necessary permissions, assign the user the monitoring_user and kibana_user roles:

  • If you’re using the native realm, you can assign roles through Kibana or with the User Management API. For example, the following command creates a user named jacknich and assigns him the kibana_user and monitoring_user roles:

    POST /_xpack/security/user/jacknich
    {
      "password" : "t0pS3cr3t",
      "roles" : [ "kibana_user", "monitoring_user" ]
    }
  • If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in config/x-pack/role_mapping.yml. For example, the following snippet assigns the user named Jack Nicholson to the kibana_user and monitoring_user roles:

    kibana_user:
      - "cn=Jack Nicholson,dc=example,dc=com"
    monitoring_user:
      - "cn=Jack Nicholson,dc=example,dc=com"

Configuring Monitoring Agent to Communicate with a X-Pack security-Enabled Monitoring Cluster

To configure the monitoring agent to communicate with a secured monitoring cluster:

  1. Configure a user on the monitoring cluster who has the remote_monitoring_agent role, which is built-in to X-Pack. For example:

    POST /_xpack/security/user/agent-user
    {
      "password" : "t0pS3cr3t",
      "roles" : [ "remote_monitoring_agent" ]
    }
  2. On each node in the cluster being monitored, configure a Monitoring HTTP exporter in elasticsearch.yml and restart Elasticsearch. In the exporter configuration, you need to:

    1. Set the type to http.
    2. Specify the location of the monitoring cluster in the host setting.
    3. Provide the agent user credentials with the username and password settings.

    For example:

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["http://es-mon1:9200", "http://es-mon2:9200"]
        auth:
          username: agent-user
          password: password

    If SSL/TLS is enabled on the monitoring cluster:

    1. Specify the HTTPS protocol when setting the monitoring server host.
    2. Include the CA certificate in each node’s trusted certificates in order to verify the identities of the nodes in the monitoring cluster.

    To add a CA certificate to an Elasticsearch node’s trusted certificates, you can specify the location of the PEM encoded certificate with the certificate_authorities setting:

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["https://es-mon1:9200", "https://es-mon2:9200"]
        auth:
          username: agent-user
          password: password
        ssl:
          certificate_authorities: [ "/path/to/ca.crt" ]
      id2:
        type: local

    Alternatively, you can configure trusted certificates using a truststore (a Java Keystore file that contains the certificates):

    xpack.monitoring.exporters:
      id1:
        type: http
        host: ["https://es-mon1:9200", "https://es-mon2:9200"]
        auth:
          username: agent-user
          password: password
        ssl:
          truststore.path: /path/to/file
          truststore.password: password
      id2:
        type: local
  3. On each Logstash node being monitored, update logstash.yml to:

    1. Specify the location of the monitoring cluster and provide credentials for the agent user:
    xpack.monitoring.elasticsearch.url: ["http://es-mon-1:9200", "http://es-mon2:9200"]
    xpack.monitoring.elasticsearch.username: "remote_monitor"
    xpack.monitoring.elasticsearch.password: "changeme"
    1. If SSL/TLS is enabled on the monitoring cluster:

      • Specify the HTTPS protocol when setting the elasticsearch.url.
      • Include the CA certificate in each node’s trusted certificates in order to verify the identities of the nodes in the monitoring cluster.

    To add a CA certificate to an node’s trusted certificates, you can specify the location of the PEM encoded certificate with the xpack.monitoring.elasticsearch.ssl.ca setting:

    xpack.monitoring.elasticsearch.ssl.ca: [ "/path/to/ca.crt" ]

    Alternatively, you can configure trusted certificates using a truststore (a Java Keystore file that contains the certificates):

    xpack.monitoring.elasticsearch.ssl.truststore.path: /path/to/file
    xpack.monitoring.elasticsearch.ssl.truststore.password: changeme