Audit logs
editAudit logs
editYou can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch’s audit logging to get a holistic view of all security related events. Kibana defers to Elasticsearch’s security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, see Auditing security events.
Audit logs are disabled by default. To enable this functionality, you
must set xpack.security.audit.enabled
to true
in kibana.yml
.
Audit logging uses the standard Kibana logging output, which can be configured
in the kibana.yml
and is discussed in Configure Kibana.
Audit event types
editWhen you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:
|
Logged when a user is authorized to access a saved objects when using a role with Kibana privileges |
|
Logged when a user isn’t authorized to access a saved objects when using a role with Kibana privileges |