WARNING: Version 5.4 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Beats and Security
editBeats and Security
editTo send data to a secured cluster through the elasticsearch
output,
a Beat needs to authenticate as a user who can manage index templates,
monitor the cluster, create indices, and read, and write to the indices
it creates.
If encryption is enabled on the cluster, you also need to enable HTTPS in the Beat configuration.
In addition to configuring authentication credentials for the Beat itself, you need to grant authorized users permission to access the indices it creates.
Configuring Authentication Credentials for a Beat
editWhen sending data to a secured cluster through the elasticsearch
output, a Beat must either provide basic authentication credentials
or present a client certificate.
To configure authentication credentials for a Beat:
-
Create a role that has the
manage_index_templates
andmonitor
cluster privileges, andread
,write
, andcreate_index
privileges for the indices the Beat creates. You can create roles from the Management / Roles UI in Kibana or through therole
API. For example, the following request creates apacketbeat_writer
role: -
Assign the writer role to the user the Beat is going to use to connect to Elasticsearch:
-
To authenticate as a native user, create a user for the Beat to use internally and assign it the writer role. You can create users from the Management / Users UI in Kibana or through the
user
API. For example, the following request creates apacketbeat_internal
user that has thepacketbeat_writer
role:POST /_xpack/security/user/packetbeat_internal { "password" : "changeme", "roles" : [ "packetbeat_writer"], "full_name" : "Internal Packetbeat User" }
-
To authenticate using PKI authentication, assign the writer role to the internal Beat user in the
role_mapping.yml
configuration file. Specify the user by the distinguished name that appears in its certificate.packetbeat_writer: - "cn=Internal Packetbeat User,ou=example,o=com"
-
-
Configure authentication credentials for the
elasticsearch
output in the Beat configuration file:-
To use basic authentication, configure the
username
andpassword
settings. For example, the following Packetbeat output configuration uses the nativepacketbeat_internal
user to connect to Elasticsearch:output.elasticsearch: hosts: ["localhost:9200"] index: "packetbeat" username: "packetbeat_internal" password: "changeme"
-
To use PKI authentication, configure the
certificate
andkey
settings:
-
Granting Users Access to Beats Indices
editTo enable users to access the indices a Beat creates, grant them read
and
view_index_metadata
privileges on the Beat indices:
-
Create a role that has the
read
andview_index_metadata
privileges for the Beat indices. You can create roles from the Management > Roles UI in Kibana or through therole
API. For example, the following request creates apacketbeat_reader
role: -
Assign your users the reader role so they can access the Beat indices:
-
If you’re using the
native
realm, you can assign roles with the Management > Users UI in Kibana or through theuser
API. For example, the following request grantspacketbeat_user
thepacketbeat_reader
role:POST /_xpack/security/user/packetbeat_user { "password" : "changeme", "roles" : [ "packetbeat_reader"], "full_name" : "Packetbeat User" }
-
If you’re using the LDAP, Active Directory, or PKI realms, you assign the roles in the
role_mapping.yml
configuration file. For example, the following snippet grantsPacketbeat User
thepacketbeat_reader
role:packetbeat_reader: - "cn=Packetbeat User,dc=example,dc=com"
-
Configuring Beats to use Encrypted Connections
editIf encryption is enabled on the Elasticsearch cluster, you need to
connect to Elasticsearch via HTTPS. If the CA that signed your node certificates
is not in the host system’s trusted certificate authorities list, you also need
to add the path to the .pem
file that contains your CA’s certificate to the
Beat configuration.
To configure a Beat to connect to Elasticsearch via HTTPS, add the https
protocol
to all host URLs: