Audit logsedit

You can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.

Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.

Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in kibana.yml.

The current version of the audit logger uses the standard Kibana logging output, which can be configured in kibana.yml. For more information, refer to Configure Kibana. The audit logger uses a separate logger and can be configured using the options in Audit logging settings.

Audit event typesedit

When you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:

saved_objects_authorization_success

Logged when a user is authorized to access a saved objects when using a role with Kibana privileges

saved_objects_authorization_failure

Logged when a user isn’t authorized to access a saved objects when using a role with Kibana privileges

ECS audit eventsedit

The following events are only logged if the ECS audit logger is enabled. For information on how to configure xpack.security.audit.appender, refer to ECS audit logging settings.

Refer to the table of events that can be logged for auditing purposes.

Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs.

Refer to ECS audit schema for a table of fields that get logged with audit event.

To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.

Category: authenticationedit

Action

Outcome

Description

user_login

success

User has logged in successfully.

failure

Failed login attempt (e.g. due to invalid credentials).

Category: databaseedit

Type: creationedit

Action

Outcome

Description

saved_object_create

unknown

User is creating a saved object.

failure

User is not authorized to create a saved object.

connector_create

unknown

User is creating a connector.

failure

User is not authorized to create a connector.

alert_create

unknown

User is creating an alert.

failure

User is not authorized to create an alert.

space_create

unknown

User is creating a space.

failure

User is not authorized to create a space.

Type: changeedit

Action

Outcome

Description

saved_object_update

unknown

User is updating a saved object.

failure

User is not authorized to update a saved object.

saved_object_add_to_spaces

unknown

User is adding a saved object to other spaces.

failure

User is not authorized to add a saved object to other spaces.

saved_object_delete_from_spaces

unknown

User is removing a saved object from other spaces.

failure

User is not authorized to remove a saved object from other spaces.

saved_object_remove_references

unknown

User is removing references to a saved object.

failure

User is not authorized to remove references to a saved object.

connector_update

unknown

User is updating a connector.

failure

User is not authorized to update a connector.

alert_update

unknown

User is updating an alert.

failure

User is not authorized to update an alert.

alert_update_api_key

unknown

User is updating the API key of an alert.

failure

User is not authorized to update the API key of an alert.

alert_enable

unknown

User is enabling an alert.

failure

User is not authorized to enable an alert.

alert_disable

unknown

User is disabling an alert.

failure

User is not authorized to disable an alert.

alert_mute

unknown

User is muting an alert.

failure

User is not authorized to mute an alert.

alert_unmute

unknown

User is unmuting an alert.

failure

User is not authorized to unmute an alert.

alert_instance_mute

unknown

User is muting an alert instance.

failure

User is not authorized to mute an alert instance.

alert_instance_unmute

unknown

User is unmuting an alert instance.

failure

User is not authorized to unmute an alert instance.

space_update

unknown

User is updating a space.

failure

User is not authorized to update a space.

Type: deletionedit

Action

Outcome

Description

saved_object_delete

unknown

User is deleting a saved object.

failure

User is not authorized to delete a saved object.

connector_delete

unknown

User is deleting a connector.

failure

User is not authorized to delete a connector.

alert_delete

unknown

User is deleting an alert.

failure

User is not authorized to delete an alert.

space_delete

unknown

User is deleting a space.

failure

User is not authorized to delete a space.

Type: accessedit

Action

Outcome

Description

saved_object_get

success

User has accessed a saved object.

failure

User is not authorized to access a saved object.

saved_object_resolve

success

User has accessed a saved object.

failure

User is not authorized to access a saved object.

saved_object_find

success

User has accessed a saved object as part of a search operation.

failure

User is not authorized to search for saved objects.

connector_get

success

User has accessed a connector.

failure

User is not authorized to access a connector.

connector_find

success

User has accessed a connector as part of a search operation.

failure

User is not authorized to search for connectors.

alert_get

success

User has accessed an alert.

failure

User is not authorized to access an alert.

alert_find

success

User has accessed an alert as part of a search operation.

failure

User is not authorized to search for alerts.

space_get

success

User has accessed a space.

failure

User is not authorized to access a space.

space_find

success

User has accessed a space as part of a search operation.

failure

User is not authorized to search for spaces.

Category: webedit

Action

Outcome

Description

http_request

unknown

User is making an HTTP request.

ECS audit schemaedit

Audit logs are written in JSON using Elastic Common Schema (ECS) specification.

Base Fieldsedit

Field

Description

@timestamp

Time when the event was generated.

Example: 2016-05-23T08:05:34.853Z

message

Human readable description of the event.

Event Fieldsedit

Field

Description

event.action

The action captured by the event.

Refer to ECS audit events for a table of possible actions.

event.category

High level category associated with the event.

This field is closely related to event.type, which is used as a subcategory.

Possible values: database, web, authentication

event.type

Subcategory associated with the event.

This field can be used along with the event.category field to enable filtering events down to a level appropriate for single visualization.

Possible values: creation, access, change, deletion

event.outcome

Denotes whether the event represents a success or failure.

Possible values: success, failure, unknown

User Fieldsedit

Field

Description

user.name

Login name of the user.

Example: jdoe

user.roles[]

Set of user roles at the time of the event.

Example: [kibana_admin, reporting_user]

Kibana Fieldsedit

Field

Description

kibana.space_id

ID of the space associated with the event.

Example: default

kibana.session_id

ID of the user session associated with the event.

Each login attempt results in a unique session id.

kibana.saved_object.type

Type of saved object associated with the event.

Example: dashboard

kibana.saved_object.id

ID of the saved object associated with the event.

kibana.authentication_provider

Name of the authentication provider associated with the event.

Example: my-saml-provider

kibana.authentication_type

Type of the authentication provider associated with the event.

Example: saml

kibana.authentication_realm

Name of the Elasticsearch realm that has authenticated the user.

Example: native

kibana.lookup_realm

Name of the Elasticsearch realm where the user details were retrieved from.

Example: native

kibana.add_to_spaces[]

Set of space IDs that a saved object is being shared to as part of the event.

Example: [default, marketing]

kibana.delete_from_spaces[]

Set of space IDs that a saved object is being removed from as part of the event.

Example: [marketing]

Error Fieldsedit

Field

Description

error.code

Error code describing the error.

error.message

Error message.

HTTP and URL Fieldsedit

Field

Description

http.request.method

HTTP request method.

Example: get, post, put, delete

url.domain

Domain of the url.

Example: www.elastic.co

url.path

Path of the request.

Example: /search

url.port

Port of the request.

Example: 443

url.query

The query field describes the query string of the request.

Example: q=elasticsearch

url.scheme

Scheme of the request.

Example: https

Tracing Fieldsedit

Field

Description

trace.id

Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be be correlated.