You can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch’s audit logging to get a holistic view of all security related events. Kibana defers to Elasticsearch’s security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, see Auditing Security Events.
Audit logs are disabled by default. To enable this functionality, you
Audit logging uses the standard Kibana logging output, which can be configured
kibana.yml and is discussed in Configuring Kibana.
When you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated: