WARNING: Version 6.1 of Winlogbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Winlogbeat and X-Pack Security Granting Users Access to Winlogbeat Indices »
Elastic Docs Winlogbeat Reference [6.1] Securing Winlogbeat Winlogbeat and X-Pack Security

Configuring Authentication Credentials for Winlogbeat

edit

Configuring Authentication Credentials for Winlogbeat

edit

When sending data to a secured cluster through the elasticsearch output, Winlogbeat must either provide basic authentication credentials or present a client certificate.

To configure authentication credentials for Winlogbeat:

  1. Create a role that has the manage_index_templates and monitor cluster privileges, and read, write, and create_index privileges for the indices that Winlogbeat creates. You can create roles from the Management / Roles UI in Kibana or through the role API. For example, the following request creates a winlogbeat_writer role:

    POST _xpack/security/role/winlogbeat_writer
{
  "cluster": ["manage_index_templates", "monitor"],
  "indices": [
    {
      "names": [ "winlogbeat-*" ], 
      "privileges": ["write","create_index"]
    }
  ]
}

    If you use a custom Winlogbeat index pattern, specify that pattern instead of the default winlogbeat-* pattern.

  2. Assign the writer role to the user that Winlogbeat will use to connect to Elasticsearch:

    1. To authenticate as a native user, create a user for the Winlogbeat to use internally and assign it the writer role. You can create users from the Management / Users UI in Kibana or through the user API. For example, the following request creates a winlogbeat_internal user that has the winlogbeat_writer role:

      POST /_xpack/security/user/winlogbeat_internal
{
  "password" : "x-pack-test-password",
  "roles" : [ "winlogbeat_writer"],
  "full_name" : "Internal Winlogbeat User"
}

    2. To authenticate using PKI authentication, assign the writer role to the internal Winlogbeat user in the role_mapping.yml configuration file. Specify the user by the distinguished name that appears in its certificate.

      winlogbeat_writer:
  - "cn=Internal Winlogbeat User,ou=example,o=com"

      For more information, see Using Role Mapping Files.

  3. Configure authentication credentials for the elasticsearch output in the Winlogbeat configuration file:

    1. To use basic authentication, configure the username and password settings. For example, the following Winlogbeat output configuration uses the native winlogbeat_internal user to connect to Elasticsearch:

      output.elasticsearch:
    hosts: ["localhost:9200"]
    index: "winlogbeat"
    username: "winlogbeat_internal"
    password: "x-pack-test-password"

    2. To use PKI authentication, configure the certificate and key settings:

      output.elasticsearch:
    hosts: ["localhost:9200"]
    index: "winlogbeat"
    ssl.certificate: "/etc/pki/client/cert.pem" 
    ssl.key: "/etc/pki/client/cert.key"

      The distinguished name (DN) in the certificate must be mapped to the writer role in the role_mapping.yml configuration file on each node in the Elasticsearch cluster.
« Winlogbeat and X-Pack Security Granting Users Access to Winlogbeat Indices »