Multi-Tenant

Elastic Stack Elasticsearch
1

hello Elastic Team

I am detailing my scenario here.

iam working with many customer wihth ELK and want a free open source solution to make multi-tenant monitor all those clients from one view internal in my company
all use elasticsearch and kibana version 9.0.1
all are free version of elk
whats your recommendation

2

What exactly you want to monitor? It is not clear if you want to have all the data from your clients in one place or if you want to monitor that resources of the clusters on your clients.

Please provide more context of what you want to do.

3

Thank You for the quick response

we support multiple clients — each of them has their own deployment of Elasticsearch and Kibana version 9.0.1 (free tier).
My goal is to implement a centralized, multi-tenant monitoring solution from inside our company, without forwarding all raw logs from the clients. I want to:

  • Monitor alerts, detection signals, or summary dashboards from all client environments.
  • Avoid duplicating data or ingesting full logs into a central cluster (to reduce storage and bandwidth).
  • Maintain separate dashboards or views per client (i.e., tenant-level visibility).
  • Ideally use authentication or access control to isolate views per client in case they access our system.

We already have direct access to client ELK stacks, so actions or investigations are done directly on their environments. From our side, I just want to monitor — not manage — those environments.
or if there is a manage way iam open to listen

what solutions or recommendations can you provide to enable this kind of multi-tenant architecture?

4

The main issue is that I don't think this is possible regardless of the license level, Elasticsearch/Kibana are not built to have multi-tenant on this kind of way, there are no features to manage multiple clusters from a single cluster.

The multi-tenancy that it has is on Kibana side using Spaces, it is more when you have different teams that need different permission, dashboards etc, it is like a soft separation of the data/permissions.

  • Monitor alerts, detection signals, or summary dashboards from all client environments.

This is not possible, alerts and everything else in the Security app is organized by Spaces and uses internal indices, you can only see it in the Space where they are created if I'm not wrong.

  • Avoid duplicating data or ingesting full logs into a central cluster (to reduce storage and bandwidth).

If you want to see the data and query on it, maybe you can use Cross-Cluster Search, in theory it is included in the basic license, but there are limitations on which searchs you can do, for example ES|QL queries won't work.

  • Maintain separate dashboards or views per client (i.e., tenant-level visibility).

This is done per cluster in Kibana using spaces.

  • Ideally use authentication or access control to isolate views per client in case they access our system.

With the basic license you can only use the internal authentication methods, which are the native realm and file realm, but also, this is done per cluster.