Audit logsedit

Audit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.

Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.

Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in kibana.yml.

You can optionally configure audit logs location, file/rolling file appenders and ignore filters using Audit logging settings.

Audit eventsedit

Refer to the table of events that can be logged for auditing purposes.

Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.

Refer to Audit schema for a table of fields that get logged with audit event.

To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.

Category: authenticationedit

Action

Outcome

Description

user_login

success

User has logged in successfully.

failure

Failed login attempt (e.g. due to invalid credentials).

user_logout

unknown

User is logging out.

session_cleanup

unknown

Removing invalid or expired session.

access_agreement_acknowledged

n/a

User has acknowledged the access agreement.

Category: databaseedit

Type: creationedit

Action

Outcome

Description

saved_object_create

unknown

User is creating a saved object.

failure

User is not authorized to create a saved object.

saved_object_open_point_in_time

unknown

User is creating a Point In Time to use when querying saved objects.

failure

User is not authorized to create a Point In Time for the provided saved object types.

connector_create

unknown

User is creating a connector.

failure

User is not authorized to create a connector.

rule_create

unknown

User is creating a rule.

failure

User is not authorized to create a rule.

space_create

unknown

User is creating a space.

failure

User is not authorized to create a space.

Type: changeedit

Action

Outcome

Description

saved_object_update

unknown

User is updating a saved object.

failure

User is not authorized to update a saved object.

saved_object_add_to_spaces

unknown

User is adding a saved object to other spaces.

failure

User is not authorized to add a saved object to other spaces.

saved_object_delete_from_spaces

unknown

User is removing a saved object from other spaces.

failure

User is not authorized to remove a saved object from other spaces.

saved_object_remove_references

unknown

User is removing references to a saved object.

failure

User is not authorized to remove references to a saved object.

connector_update

unknown

User is updating a connector.

failure

User is not authorized to update a connector.

rule_update

unknown

User is updating a rule.

failure

User is not authorized to update a rule.

rule_update_api_key

unknown

User is updating the API key of a rule.

failure

User is not authorized to update the API key of a rule.

rule_enable

unknown

User is enabling a rule.

failure

User is not authorized to enable a rule.

rule_disable

unknown

User is disabling a rule.

failure

User is not authorized to disable a rule.

rule_mute

unknown

User is muting a rule.

failure

User is not authorized to mute a rule.

rule_unmute

unknown

User is unmuting a rule.

failure

User is not authorized to unmute a rule.

rule_alert_mute

unknown

User is muting an alert.

failure

User is not authorized to mute an alert.

rule_alert_unmute

unknown

User is unmuting an alert.

failure

User is not authorized to unmute an alert.

space_update

unknown

User is updating a space.

failure

User is not authorized to update a space.

alert_update

unknown

User is updating an alert.

failure

User is not authorized to update an alert.

Type: deletionedit

Action

Outcome

Description

saved_object_delete

unknown

User is deleting a saved object.

failure

User is not authorized to delete a saved object.

saved_object_close_point_in_time

unknown

User is deleting a Point In Time that was used to query saved objects.

failure

User is not authorized to delete a Point In Time.

connector_delete

unknown

User is deleting a connector.

failure

User is not authorized to delete a connector.

rule_delete

unknown

User is deleting a rule.

failure

User is not authorized to delete a rule.

space_delete

unknown

User is deleting a space.

failure

User is not authorized to delete a space.

Type: accessedit

Action

Outcome

Description

saved_object_get

success

User has accessed a saved object.

failure

User is not authorized to access a saved object.

saved_object_resolve

success

User has accessed a saved object.

failure

User is not authorized to access a saved object.

saved_object_find

success

User has accessed a saved object as part of a search operation.

failure

User is not authorized to search for saved objects.

connector_get

success

User has accessed a connector.

failure

User is not authorized to access a connector.

connector_find

success

User has accessed a connector as part of a search operation.

failure

User is not authorized to search for connectors.

rule_get

success

User has accessed a rule.

failure

User is not authorized to access a rule.

rule_find

success

User has accessed a rule as part of a search operation.

failure

User is not authorized to search for rules.

space_get

success

User has accessed a space.

failure

User is not authorized to access a space.

space_find

success

User has accessed a space as part of a search operation.

failure

User is not authorized to search for spaces.

alert_get

success

User has accessed an alert.

failure

User is not authorized to access an alert.

alert_find

success

User has accessed an alert as part of a search operation.

failure

User is not authorized to access alerts.

Category: webedit

Action

Outcome

Description

http_request

unknown

User is making an HTTP request.

Audit schemaedit

Audit logs are written in JSON using Elastic Common Schema (ECS) specification.

Base Fieldsedit

Field

Description

@timestamp

Time when the event was generated.

Example: 2016-05-23T08:05:34.853Z

message

Human readable description of the event.

Event Fieldsedit

Field

Description

event.action

The action captured by the event.

Refer to Audit events for a table of possible actions.

event.category

High level category associated with the event.

This field is closely related to event.type, which is used as a subcategory.

Possible values: database, web, authentication

event.type

Subcategory associated with the event.

This field can be used along with the event.category field to enable filtering events down to a level appropriate for single visualization.

Possible values: creation, access, change, deletion

event.outcome

Denotes whether the event represents a success or failure.

Possible values: success, failure, unknown

User Fieldsedit

Field

Description

user.name

Login name of the user.

Example: jdoe

user.roles[]

Set of user roles at the time of the event.

Example: [kibana_admin, reporting_user]

Kibana Fieldsedit

Field

Description

kibana.space_id

ID of the space associated with the event.

Example: default

kibana.session_id

ID of the user session associated with the event.

Each login attempt results in a unique session id.

kibana.saved_object.type

Type of saved object associated with the event.

Example: dashboard

kibana.saved_object.id

ID of the saved object associated with the event.

kibana.authentication_provider

Name of the authentication provider associated with the event.

Example: my-saml-provider

kibana.authentication_type

Type of the authentication provider associated with the event.

Example: saml

kibana.authentication_realm

Name of the Elasticsearch realm that has authenticated the user.

Example: native

kibana.lookup_realm

Name of the Elasticsearch realm where the user details were retrieved from.

Example: native

kibana.add_to_spaces[]

Set of space IDs that a saved object is being shared to as part of the event.

Example: [default, marketing]

kibana.delete_from_spaces[]

Set of space IDs that a saved object is being removed from as part of the event.

Example: [marketing]

Error Fieldsedit

Field

Description

error.code

Error code describing the error.

error.message

Error message.

HTTP and URL Fieldsedit

Field

Description

http.request.method

HTTP request method.

Example: get, post, put, delete

url.domain

Domain of the url.

Example: www.elastic.co

url.path

Path of the request.

Example: /search

url.port

Port of the request.

Example: 443

url.query

The query field describes the query string of the request.

Example: q=elasticsearch

url.scheme

Scheme of the request.

Example: https

Tracing Fieldsedit

Field

Description

trace.id

Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be be correlated.

Correlating audit eventsedit

Audit events can be correlated in two ways:

  1. Multiple Kibana audit events that resulted from the same request can be correlated together.
  2. If Elasticsearch audit logging is enabled, Kibana audit events from one request can be correlated with backend calls that create Elasticsearch audit events.

The examples below are simplified, many fields have been omitted and values have been shortened for clarity.

Example 1: correlating multiple Kibana audit eventsedit

When "thom" creates a new alerting rule, five audit events are written:

{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}}
{"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}

All of these audit events can be correlated together by the same trace.id value "e300e06...". The first event is the HTTP API call, the next audit events are checks to validate the space and the connectors, and the last audit event is the actual rule creation.

Example 2: correlating a Kibana audit event with Elasticsearch audit eventsedit

When "thom" logs in, a "user_login" Kibana audit event is written:

{"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T09:40:39.267-05:00","message":"User [thom] has logged in using basic provider [name=basic]","trace":{"id":"818cbf3..."}}

The trace.id value "818cbf3..." in the Kibana audit event can be correlated with the opaque_id value in these six Elasticsearch audit events:

{"type":"audit", "timestamp":"2022-01-25T09:40:38,604-0500", "event.action":"access_granted", "user.name":"thom", "user.roles":["superuser"], "request.id":"YCx8wxs...", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index", "request.name":"IndexRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk", "request.name":"BulkRequest", "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index:op_type/create", "request.name":"BulkItemRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}

The Elasticsearch audit events show that "thom" authenticated, then subsequently "kibana_system" created a session for that user.