Audit logs
editAudit logs
editAudit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.
Audit logs are disabled by default. To enable this functionality, you must
set xpack.security.audit.enabled
to true
in kibana.yml
.
You can optionally configure audit logs location, file/rolling file appenders and ignore filters using Audit logging settings.
Audit events
editRefer to the table of events that can be logged for auditing purposes.
Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.
Refer to Audit schema for a table of fields that get logged with audit event.
To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.
Category: authenticationedit |
||
Action |
Outcome |
Description |
|
|
User has logged in successfully. |
|
Failed login attempt (e.g. due to invalid credentials). |
|
|
|
User is logging out. |
|
|
Removing invalid or expired session. |
|
n/a |
User has acknowledged the access agreement. |
Action |
Outcome |
Description |
|
|
User is creating a saved object. |
|
User is not authorized to create a saved object. |
|
|
|
User is creating a Point In Time to use when querying saved objects. |
|
User is not authorized to create a Point In Time for the provided saved object types. |
|
|
|
User is creating a connector. |
|
User is not authorized to create a connector. |
|
|
|
User is creating a rule. |
|
User is not authorized to create a rule. |
|
|
|
User is creating a space. |
|
User is not authorized to create a space. |
|
Type: changeedit |
||
Action |
Outcome |
Description |
|
|
User is updating a saved object. |
|
User is not authorized to update a saved object. |
|
|
|
User is adding a saved object to other spaces. |
|
User is not authorized to add a saved object to other spaces. |
|
|
|
User is removing a saved object from other spaces. |
|
User is not authorized to remove a saved object from other spaces. |
|
|
|
User is removing references to a saved object. |
|
User is not authorized to remove references to a saved object. |
|
|
|
User is updating a connector. |
|
User is not authorized to update a connector. |
|
|
|
User is updating a rule. |
|
User is not authorized to update a rule. |
|
|
|
User is updating the API key of a rule. |
|
User is not authorized to update the API key of a rule. |
|
|
|
User is enabling a rule. |
|
User is not authorized to enable a rule. |
|
|
|
User is disabling a rule. |
|
User is not authorized to disable a rule. |
|
|
|
User is muting a rule. |
|
User is not authorized to mute a rule. |
|
|
|
User is unmuting a rule. |
|
User is not authorized to unmute a rule. |
|
|
|
User is muting an alert. |
|
User is not authorized to mute an alert. |
|
|
|
User is unmuting an alert. |
|
User is not authorized to unmute an alert. |
|
|
|
User is updating a space. |
|
User is not authorized to update a space. |
|
|
|
User is updating an alert. |
|
User is not authorized to update an alert. |
|
|
|
User is snoozing a rule. |
|
User is not authorized to snooze a rule. |
|
|
|
User is unsnoozing a rule. |
|
User is not authorized to unsnooze a rule. |
|
Type: deletionedit |
||
Action |
Outcome |
Description |
|
|
User is deleting a saved object. |
|
User is not authorized to delete a saved object. |
|
|
|
User is deleting a Point In Time that was used to query saved objects. |
|
User is not authorized to delete a Point In Time. |
|
|
|
User is deleting a connector. |
|
User is not authorized to delete a connector. |
|
|
|
User is deleting a rule. |
|
User is not authorized to delete a rule. |
|
|
|
User is deleting a space. |
|
User is not authorized to delete a space. |
|
Type: accessedit |
||
Action |
Outcome |
Description |
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object as part of a search operation. |
|
User is not authorized to search for saved objects. |
|
|
|
User has accessed a connector. |
|
User is not authorized to access a connector. |
|
|
|
User has accessed a connector as part of a search operation. |
|
User is not authorized to search for connectors. |
|
|
|
User has accessed a rule. |
|
User is not authorized to access a rule. |
|
|
|
User has accessed execution log for a rule. |
|
User is not authorized to access execution log for a rule. |
|
|
|
User has accessed a rule as part of a search operation. |
|
User is not authorized to search for rules. |
|
|
|
User has accessed a space. |
|
User is not authorized to access a space. |
|
|
|
User has accessed a space as part of a search operation. |
|
User is not authorized to search for spaces. |
|
|
|
User has accessed an alert. |
|
User is not authorized to access an alert. |
|
|
|
User has accessed an alert as part of a search operation. |
|
User is not authorized to access alerts. |
|
Category: webedit |
||
Action |
Outcome |
Description |
|
|
User is making an HTTP request. |
Audit schema
editAudit logs are written in JSON using Elastic Common Schema (ECS) specification.
Base Fieldsedit |
|
Field |
Description |
|
Time when the event was generated. Example: |
|
Human readable description of the event. |
Event Fieldsedit |
|
Field |
Description |
The action captured by the event. Refer to Audit events for a table of possible actions. |
|
High level category associated with the event. This field is closely related to Possible values:
|
|
Subcategory associated with the event. This field can be used along with the Possible values:
|
|
Denotes whether the event represents a success or failure. Possible values:
|
|
User Fieldsedit |
|
Field |
Description |
|
Login name of the user. Example: |
|
Set of user roles at the time of the event. Example: |
Kibana Fieldsedit |
|
Field |
Description |
|
ID of the space associated with the event. Example: |
|
ID of the user session associated with the event. Each login attempt results in a unique session id. |
|
Type of saved object associated with the event. Example: |
|
ID of the saved object associated with the event. |
|
Name of the authentication provider associated with the event. Example: |
|
Type of the authentication provider associated with the event. Example: |
|
Name of the Elasticsearch realm that has authenticated the user. Example: |
|
Name of the Elasticsearch realm where the user details were retrieved from. Example: |
|
Set of space IDs that a saved object is being shared to as part of the event. Example: |
|
Set of space IDs that a saved object is being removed from as part of the event. Example: |
Error Fieldsedit |
|
Field |
Description |
|
Error code describing the error. |
|
Error message. |
HTTP and URL Fieldsedit |
|
Field |
Description |
|
HTTP request method. Example: |
|
Domain of the url. Example: |
|
Path of the request. Example: |
|
Port of the request. Example: |
|
The query field describes the query string of the request. Example: |
|
Scheme of the request. Example: |
Tracing Fieldsedit |
|
Field |
Description |
Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be be correlated. |
Correlating audit events
editAudit events can be correlated in two ways:
- Multiple Kibana audit events that resulted from the same request can be correlated together.
- If Elasticsearch audit logging is enabled, Kibana audit events from one request can be correlated with backend calls that create Elasticsearch audit events.
The examples below are simplified, many fields have been omitted and values have been shortened for clarity.
Example 1: correlating multiple Kibana audit events
editWhen "thom" creates a new alerting rule, five audit events are written:
{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}} {"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}
All of these audit events can be correlated together by the same trace.id
value "e300e06..."
. The first event is the HTTP API call, the
next audit events are checks to validate the space and the connectors, and the last audit event is the actual rule creation.
Example 2: correlating a Kibana audit event with Elasticsearch audit events
editWhen "thom" logs in, a "user_login" Kibana audit event is written:
{"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"kibana":{"session_id":"ab93zdA..."},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T09:40:39.267-05:00","message":"User [thom] has logged in using basic provider [name=basic]","trace":{"id":"818cbf3..."}}
The trace.id
value "818cbf3..."
in the Kibana audit event can be correlated with the opaque_id
value in these six Elasticsearch audit events:
{"type":"audit", "timestamp":"2022-01-25T09:40:38,604-0500", "event.action":"access_granted", "user.name":"thom", "user.roles":["superuser"], "request.id":"YCx8wxs...", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index", "request.name":"IndexRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk", "request.name":"BulkRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index:op_type/create", "request.name":"BulkItemRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
The Elasticsearch audit events show that "thom" authenticated, then subsequently "kibana_system" created a session for that user.