Elastic Auth

Starting in Elastic 6.8.0, Elastic authentication is included for free in Elastic Features. This allows you to assign different privileges to different users in Kibana.

To enable, simply run so-elastic-auth on your master server only (or standalone) and follow the prompts. so-elastic-auth will do the following:

  • walk you through switching to Elastic Features if necessary
  • enable authentication in Elasticsearch, Logstash, Kibana, Curator, and ElastAlert
  • find any existing user accounts in your Sguil database and create corresponding accounts in Elasticsearch with read-only privilege by default

Once you’ve completed so-elastic-auth, you should then:

  • log into Kibana using the elastic super-user account
  • set any other account privileges as necessary
  • distribute the temporary passwords generated by so-elastic-auth to your users and have them reset their passwords


Please note that you will continue to authenticate to Sguil, Squert, and CapMe with your traditional Sguil/Squert/CapMe account.

If you add new Elastic Auth accounts in the future, you will need to assign them at least the so_user_read_only role.