Configure authentication credentials
editConfigure authentication credentials
editWhen sending data to a secured cluster through the elasticsearch
output, Packetbeat must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for Packetbeat:
-
Create a writer role that has the following privileges:
-
Cluster:
manage_index_templates
andmonitor
-
Index:
write
andcreate_index
on the Packetbeat indices
You can create roles from the Management / Roles UI in Kibana or through the
role
API. For example, the following request creates a role namedpacketbeat_writer
: -
Cluster:
-
Assign the writer role to the user that Packetbeat will use to connect to Elasticsearch. If you plan to load the pre-built Kibana dashboards, also assign the
kibana_user
role. If you plan to load machine learning jobs, assign themachine_learning_admin
role.-
To authenticate as a native user, create a user for Packetbeat to use internally and assign it the writer role, plus any other roles that are needed.
You can create users from the Management / Users UI in Kibana or through the
user
API. For example, following request creates a user namedpacketbeat_internal
that has thepacketbeat_writer
andkibana_user
roles:POST /_xpack/security/user/packetbeat_internal { "password" : "YOUR_PASSWORD", "roles" : [ "packetbeat_writer","kibana_user"], "full_name" : "Internal Packetbeat User" }
-
To use PKI authentication, assign the writer role, plus any other roles that are needed, in the
role_mapping.yml
configuration file. Specify the user by the distinguished name that appears in its certificate:packetbeat_writer: - "cn=Internal Packetbeat User,ou=example,o=com" kibana_user: - "cn=Internal Packetbeat User,ou=example,o=com"
For more information, see Using Role Mapping Files.
-
-
In the Packetbeat configuration file, specify authentication credentials for the
elasticsearch
output:-
To use basic authentication, configure the
username
andpassword
settings. For example, the following Packetbeat output configuration uses the nativepacketbeat_internal
user to connect to Elasticsearch:output.elasticsearch: hosts: ["localhost:9200"] username: "packetbeat_internal" password: "YOUR_PASSWORD"
You created this user earlier.
The example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
-
To use PKI authentication, configure the
certificate
andkey
settings:
-