Audit Logging

edit

You can enable auditing to keep track of security-related events such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.

Use the Kibana audit logs in conjunction with Elasticsearch’s audit logging to get a holistic view of all security related events. Kibana defers to Elasticsearch’s security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, see Enabling audit logging.

Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in kibana.yml.

Audit logging uses the standard Kibana logging output, which can be configured in the kibana.yml and is discussed in Configuring Kibana.

Audit event types

edit

When you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:

saved_objects_authorization_success

Logged when a user is authorized to access a saved objects when using a role with Kibana privileges

saved_objects_authorization_failure

Logged when a user isn’t authorized to access a saved objects when using a role with Kibana privileges