- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_session_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Grant access using API keys
editGrant access using API keys
editInstead of using usernames and passwords, you can use API keys to grant
access to Elasticsearch resources. You can set API keys to expire at a certain time,
and you can explicitly invalidate them. Any user with the manage_api_key
or manage_own_api_key
cluster privilege can create API keys.
Auditbeat instances typically send both collected data and monitoring information to Elasticsearch. If you are sending both to the same cluster, you can use the same API key. For different clusters, you need to use an API key per cluster.
For security reasons, we recommend using a unique API key per Auditbeat instance. You can create as many API keys per user as necessary.
Review Grant users access to secured resources before creating API keys for Auditbeat.
Create an API key for publishing
editTo create an API key to use for writing data to Elasticsearch, use the Create API key API, for example:
POST /_security/api_key { "name": "auditbeat_host001", "role_descriptors": { "auditbeat_writer": { "cluster": ["monitor", "read_ilm", "read_pipeline"], "index": [ { "names": ["auditbeat-*"], "privileges": ["view_index_metadata", "create_doc", "auto_configure"] } ] } } }
Name of the API key |
|
Granted privileges, see Grant users access to secured resources |
See Create a publishing user for the list of privileges required to publish events.
The return value will look something like this:
You can now use this API key in your auditbeat.yml
configuration file like this:
Format is |
Create an API key for monitoring
editTo create an API key to use for sending monitoring data to Elasticsearch, use the Create API key API, for example:
POST /_security/api_key { "name": "auditbeat_host001", "role_descriptors": { "auditbeat_monitoring": { "cluster": ["monitor"], "index": [ { "names": [".monitoring-beats-*"], "privileges": ["create_index", "create"] } ] } } }
Name of the API key |
|
Granted privileges, see Grant users access to secured resources |
See Create a monitoring user for the list of privileges required to send monitoring data.
The return value will look something like this:
You can now use this API key in your auditbeat.yml
configuration file like this:
Format is |
Learn more about API keys
editSee the Elasticsearch API key documentation for more information:
On this page