Audit logsedit

You can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.

Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.

Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in kibana.yml.

The current version of the audit logger uses the standard Kibana logging output, which can be configured in kibana.yml. For more information, refer to Configure Kibana. The audit logger uses a separate logger and can be configured using the options in Audit logging settings.

Audit event typesedit

When you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:

saved_objects_authorization_success

Logged when a user is authorized to access a saved objects when using a role with Kibana privileges

saved_objects_authorization_failure

Logged when a user isn’t authorized to access a saved objects when using a role with Kibana privileges

ECS audit eventsedit

The following events are only logged if the ECS audit logger is enabled. For information on how to configure xpack.security.audit.appender, refer to ECS audit logging settings.

Refer to the table of events that can be logged for auditing purposes.

Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs.

To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.

Category: authenticationedit

Action

Outcome

Description

user_login

success

User has logged in successfully.

failure

Failed login attempt (e.g. due to invalid credentials).

Category: databaseedit

Type: creationedit

Action

Outcome

Description

saved_object_create

unknown

User is creating a saved object.

failure

User is not authorized to create a saved object.

Type: changeedit

Action

Outcome

Description

saved_object_update

unknown

User is updating a saved object.

failure

User is not authorized to update a saved object.

saved_object_add_to_spaces

unknown

User is adding a saved object to other spaces.

failure

User is not authorized to add a saved object to other spaces.

saved_object_delete_from_spaces

unknown

User is removing a saved object from other spaces.

failure

User is not authorized to remove a saved object from other spaces.

Type: deletionedit

Action

Outcome

Description

saved_object_delete

unknown

User is deleting a saved object.

failure

User is not authorized to delete a saved object.

Type: accessedit

Action

Outcome

Description

saved_object_get

success

User has accessed a saved object.

failure

User is not authorized to access a saved object.

saved_object_find

success

User has accessed a saved object as part of a search operation.

failure

User is not authorized to search for saved objects.

Category: webedit

Action

Outcome

Description

http_request

unknown

User is making an HTTP request.