ContextQMD
Back to Beats

Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]

docs/reference/auditbeat/privileges-to-publish-monitoring.md

9.4.03.3 KB
Original Source

Grant privileges and roles needed for monitoring [privileges-to-publish-monitoring]

{{es-security-features}} provides built-in users and roles for monitoring. The privileges and roles needed depend on the method used to collect monitoring data.

::::{admonition} Important note for {{ecloud}} users :class: important

Built-in users are not available when running {{ech}}. To send monitoring data securely, create a monitoring user and grant it the roles described in the following sections.

::::

  • If you’re using internal collection to collect metrics about Auditbeat, {{es-security-features}} provides the beats_system built-in user and beats_system built-in role to send monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to send monitoring information.

    If you use the beats_system user, make sure you set the password.

    If you don’t use the beats_system user:

    1. Create a monitoring role, called something like auditbeat_monitoring, that has the following privileges:

      TypePrivilegePurpose
      ClustermonitorRetrieve cluster details (e.g. version)
      Indexcreate_index on .monitoring-beats-* indicesCreate monitoring indices in {{es}}
      Indexcreate_doc on .monitoring-beats-* indicesWrite monitoring events into {{es}}

    2. Assign the monitoring role, along with the following built-in roles, to users who need to monitor Auditbeat:

      RolePurpose
      kibana_adminUse {{kib}}
      monitoring_userUse Stack Monitoring in {{kib}} to monitor Auditbeat

  • If you’re using {{metricbeat}} to collect metrics about Auditbeat, {{es-security-features}} provides the remote_monitoring_user built-in user, and the remote_monitoring_collector and remote_monitoring_agent built-in roles for collecting and sending monitoring information. You can use the built-in user, if it’s available in your environment, or create a user who has the privileges needed to collect and send monitoring information.

    If you use the remote_monitoring_user user, make sure you set the password.

    If you don’t use the remote_monitoring_user user:

    1. Create a user on the production cluster who will collect and send monitoring information.

    2. Assign the following roles to the user:

      RolePurpose
      remote_monitoring_collectorCollect monitoring metrics from Auditbeat
      remote_monitoring_agentSend monitoring data to the monitoring cluster

    3. Assign the following role to users who will view the monitoring data in {{kib}}:

      RolePurpose
      monitoring_userUse Stack Monitoring in {{kib}} to monitor Auditbeat