Audit logs
editAudit logs
editYou can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.
Audit logs are disabled by default. To enable this functionality, you must
set xpack.security.audit.enabled
to true
in kibana.yml
.
The current version of the audit logger uses the standard Kibana logging output,
which can be configured in kibana.yml
. For more information, refer to Configure Kibana.
The audit logger uses a separate logger and can be configured using
the options in Audit logging settings.
Audit event types
editWhen you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:
|
Logged when a user is authorized to access a saved objects when using a role with Kibana privileges |
|
Logged when a user isn’t authorized to access a saved objects when using a role with Kibana privileges |
ECS audit events
editThe following events are only logged if the ECS audit logger is enabled.
For information on how to configure xpack.security.audit.appender
, refer to
ECS audit logging settings.
Refer to the table of events that can be logged for auditing purposes.
Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.
Refer to ECS audit schema for a table of fields that get logged with audit event.
To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.
Category: authenticationedit |
||
Action |
Outcome |
Description |
|
|
User has logged in successfully. |
|
Failed login attempt (e.g. due to invalid credentials). |
|
Action |
Outcome |
Description |
|
|
User is creating a saved object. |
|
User is not authorized to create a saved object. |
|
|
|
User is creating a connector. |
|
User is not authorized to create a connector. |
|
|
|
User is creating an alert rule. |
|
User is not authorized to create an alert rule. |
|
Type: changeedit |
||
Action |
Outcome |
Description |
|
|
User is updating a saved object. |
|
User is not authorized to update a saved object. |
|
|
|
User is adding a saved object to other spaces. |
|
User is not authorized to add a saved object to other spaces. |
|
|
|
User is removing a saved object from other spaces. |
|
User is not authorized to remove a saved object from other spaces. |
|
|
|
User is removing references to a saved object. |
|
User is not authorized to remove references to a saved object. |
|
|
|
User is updating a connector. |
|
User is not authorized to update a connector. |
|
|
|
User is updating an alert rule. |
|
User is not authorized to update an alert rule. |
|
|
|
User is updating the API key of an alert rule. |
|
User is not authorized to update the API key of an alert rule. |
|
|
|
User is enabling an alert rule. |
|
User is not authorized to enable an alert rule. |
|
|
|
User is disabling an alert rule. |
|
User is not authorized to disable an alert rule. |
|
|
|
User is muting an alert rule. |
|
User is not authorized to mute an alert rule. |
|
|
|
User is unmuting an alert rule. |
|
User is not authorized to unmute an alert rule. |
|
|
|
User is muting an alert instance. |
|
User is not authorized to mute an alert instance. |
|
|
|
User is unmuting an alert instance. |
|
User is not authorized to unmute an alert instance. |
|
Type: deletionedit |
||
Action |
Outcome |
Description |
|
|
User is deleting a saved object. |
|
User is not authorized to delete a saved object. |
|
|
|
User is deleting a connector. |
|
User is not authorized to delete a connector. |
|
|
|
User is deleting an alert rule. |
|
User is not authorized to delete an alert rule. |
|
Type: accessedit |
||
Action |
Outcome |
Description |
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object as part of a search operation. |
|
User is not authorized to search for saved objects. |
|
|
|
User has accessed a connector. |
|
User is not authorized to access a connector. |
|
|
|
User has accessed a connector as part of a search operation. |
|
User is not authorized to search for connectors. |
|
|
|
User has accessed an alert rule. |
|
User is not authorized to access an alert rule. |
|
|
|
User has accessed an alert rule as part of a search operation. |
|
User is not authorized to search for alert rules. |
|
Category: webedit |
||
Action |
Outcome |
Description |
|
|
User is making an HTTP request. |
ECS audit schema
editAudit logs are written in JSON using Elastic Common Schema (ECS) specification.
Base Fieldsedit |
|
Field |
Description |
|
Time when the event was generated. Example: |
|
Human readable description of the event. |
Event Fieldsedit |
|
Field |
Description |
The action captured by the event. Refer to ECS audit events for a table of possible actions. |
|
High level category associated with the event. This field is closely related to Possible values:
|
|
Subcategory associated with the event. This field can be used along with the Possible values:
|
|
Denotes whether the event represents a success or failure. Possible values:
|
|
User Fieldsedit |
|
Field |
Description |
|
Login name of the user. Example: |
|
Set of user roles at the time of the event. Example: |
Kibana Fieldsedit |
|
Field |
Description |
|
ID of the space associated with the event. Example: |
|
ID of the user session associated with the event. Each login attempt results in a unique session id. |
|
Type of saved object associated with the event. Example: |
|
ID of the saved object associated with the event. |
|
Name of the authentication provider associated with the event. Example: |
|
Type of the authentication provider associated with the event. Example: |
|
Name of the Elasticsearch realm that has authenticated the user. Example: |
|
Name of the Elasticsearch realm where the user details were retrieved from. Example: |
|
Set of space IDs that a saved object is being shared to as part of the event. Example: |
|
Set of space IDs that a saved object is being removed from as part of the event. Example: |
Error Fieldsedit |
|
Field |
Description |
|
Error code describing the error. |
|
Error message. |
HTTP and URL Fieldsedit |
|
Field |
Description |
|
HTTP request method. Example: |
|
Domain of the url. Example: |
|
Path of the request. Example: |
|
Port of the request. Example: |
|
The query field describes the query string of the request. Example: |
|
Scheme of the request. Example: |
Tracing Fieldsedit |
|
Field |
Description |
Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be be correlated. |
Correlating ECS audit events
editAudit events can be correlated in two ways:
- Multiple Kibana audit events that resulted from the same request can be correlated together.
- If Elasticsearch audit logging is enabled, Kibana audit events from one request can be correlated with backend calls that create Elasticsearch audit events.
The examples below are simplified, many fields have been omitted and values have been shortened for clarity.
Example 1: correlating multiple Kibana audit events
editWhen "thom" creates a new alerting rule, five audit events are written:
{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}} {"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}
All of these audit events can be correlated together by the same trace.id
value "e300e06..."
. The first event is the HTTP API call, the
next audit events are checks to validate the space and the connectors, and the last audit event is the actual rule creation.
Example 2: correlating a Kibana audit event with Elasticsearch audit events
editWhen "thom" logs in, a "user_login" Kibana audit event is written:
{"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T09:40:39.267-05:00","message":"User [thom] has logged in using basic provider [name=basic]","trace":{"id":"818cbf3..."}}
The trace.id
value "818cbf3..."
in the Kibana audit event can be correlated with the opaque_id
value in these six Elasticsearch audit events:
{"type":"audit", "timestamp":"2022-01-25T09:40:38,604-0500", "event.action":"access_granted", "user.name":"thom", "user.roles":["superuser"], "request.id":"YCx8wxs...", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index", "request.name":"IndexRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk", "request.name":"BulkRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index:op_type/create", "request.name":"BulkItemRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
The Elasticsearch audit events show that "thom" authenticated, then subsequently "kibana_system" created a session for that user.