Audit logs
editAudit logs
editAudit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.
Audit logs are disabled by default. To enable this functionality, you must
set xpack.security.audit.enabled to true in kibana.yml.
You can optionally configure audit logs location, file/rolling file appenders and ignore filters using Audit logging settings.
Audit events
editRefer to the table of events that can be logged for auditing purposes.
Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.
Refer to Audit schema for a table of fields that get logged with audit event.
To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.
Category: authenticationedit |
||
Action |
Outcome |
Description |
|
|
User has logged in successfully. |
|
Failed login attempt (e.g. due to invalid credentials). |
|
|
|
User is logging out. |
|
|
Removing invalid or expired session. |
|
n/a |
User has acknowledged the access agreement. |
Action |
Outcome |
Description |
|
|
User is creating a saved object. |
|
User is not authorized to create a saved object. |
|
|
|
User is creating a Point In Time to use when querying saved objects. |
|
User is not authorized to create a Point In Time for the provided saved object types. |
|
|
|
User is creating a connector. |
|
User is not authorized to create a connector. |
|
|
|
User is creating a rule. |
|
User is not authorized to create a rule. |
|
|
|
User is creating an ad hoc run. |
|
User is not authorized to create an ad hoc run. |
|
|
|
User is creating a space. |
|
User is not authorized to create a space. |
|
|
|
User is creating a case. |
|
User is not authorized to create a case. |
|
|
|
User is creating a case configuration. |
|
User is not authorized to create a case configuration. |
|
|
|
User is creating a case comment. |
|
User is not authorized to create a case comment. |
|
|
|
User is creating multiple case comments. |
|
User is not authorized to create multiple case comments. |
|
|
|
User has created a case comment. |
|
|
User has created a case. |
|
|
Creating anomaly detection job. |
|
Failed to create anomaly detection job. |
|
|
|
Creating anomaly detection datafeed. |
|
Failed to create anomaly detection datafeed. |
|
|
|
Creating calendar. |
|
Failed to create calendar. |
|
|
|
Adding events to calendar. |
|
Failed to add events to calendar. |
|
|
|
Creating anomaly detection forecast. |
|
Failed to create anomaly detection forecast. |
|
|
|
Creating filter. |
|
Failed to create filter. |
|
|
|
Creating data frame analytics job. |
|
Failed to create data frame analytics job. |
|
|
|
Creating trained model. |
|
Failed to create trained model. |
|
Type: changeedit |
||
Action |
Outcome |
Description |
|
|
User is updating a saved object. |
|
User is not authorized to update a saved object. |
|
|
|
User is adding and/or removing a saved object to/from other spaces. |
|
User is not authorized to add or remove a saved object to or from other spaces. |
|
|
|
User is removing references to a saved object. |
|
User is not authorized to remove references to a saved object. |
|
|
|
User has accessed references to a multi-space saved object. |
|
User is not authorized to access references to a multi-space saved object. |
|
|
|
User is updating a connector. |
|
User is not authorized to update a connector. |
|
|
|
User is updating a rule. |
|
User is not authorized to update a rule. |
|
|
|
User is updating the API key of a rule. |
|
User is not authorized to update the API key of a rule. |
|
|
|
User is enabling a rule. |
|
User is not authorized to enable a rule. |
|
|
|
User is disabling a rule. |
|
User is not authorized to disable a rule. |
|
|
|
User is muting a rule. |
|
User is not authorized to mute a rule. |
|
|
|
User is unmuting a rule. |
|
User is not authorized to unmute a rule. |
|
|
|
User is muting an alert. |
|
User is not authorized to mute an alert. |
|
|
|
User is unmuting an alert. |
|
User is not authorized to unmute an alert. |
|
|
|
User is updating a space. |
|
User is not authorized to update a space. |
|
|
|
User is updating an alert. |
|
User is not authorized to update an alert. |
|
|
|
User is snoozing a rule. |
|
User is not authorized to snooze a rule. |
|
|
|
User is unsnoozing a rule. |
|
User is not authorized to unsnooze a rule. |
|
|
|
User is updating a case. |
|
User is not authorized to update a case. |
|
|
|
User is pushing a case to an external service. |
|
User is not authorized to push a case to an external service. |
|
|
|
User is updating a case configuration. |
|
User is not authorized to update a case configuration. |
|
|
|
User is updating a case comment. |
|
User is not authorized to update a case comment. |
|
|
|
User has added a case assignee. |
|
|
User has updated a case connector. |
|
|
User has updated a case description. |
|
|
User has updated the case settings. |
|
|
User has updated the case severity. |
|
|
User has updated the case status. |
|
|
User has pushed a case to an external service. |
|
|
User has added tags to a case. |
|
|
User has updated the case title. |
|
|
Opening anomaly detection job. |
|
Failed to open anomaly detection job. |
|
|
|
Closing anomaly detection job. |
|
Failed to close anomaly detection job. |
|
|
|
Starting anomaly detection datafeed. |
|
Failed to start anomaly detection datafeed. |
|
|
|
Stopping anomaly detection datafeed. |
|
Failed to stop anomaly detection datafeed. |
|
|
|
Updating anomaly detection job. |
|
Failed to update anomaly detection job. |
|
|
|
Resetting anomaly detection job. |
|
Failed to reset anomaly detection job. |
|
|
|
Reverting anomaly detection snapshot. |
|
Failed to revert anomaly detection snapshot. |
|
|
|
Updating anomaly detection datafeed. |
|
Failed to update anomaly detection datafeed. |
|
|
|
Adding job to calendar. |
|
Failed to add job to calendar. |
|
|
|
Removing job from calendar. |
|
Failed to remove job from calendar. |
|
|
|
Updating filter. |
|
Failed to update filter. |
|
|
|
Starting data frame analytics job. |
|
Failed to start data frame analytics job. |
|
|
|
Stopping data frame analytics job. |
|
Failed to stop data frame analytics job. |
|
|
|
Updating data frame analytics job. |
|
Failed to update data frame analytics job. |
|
|
|
Starting trained model deployment. |
|
Failed to start trained model deployment. |
|
|
|
Stopping trained model deployment. |
|
Failed to stop trained model deployment. |
|
|
|
Updating trained model deployment. |
|
Failed to update trained model deployment. |
|
Type: deletionedit |
||
Action |
Outcome |
Description |
|
|
User is deleting a saved object. |
|
User is not authorized to delete a saved object. |
|
|
|
User is deleting a Point In Time that was used to query saved objects. |
|
User is not authorized to delete a Point In Time. |
|
|
|
User is deleting a connector. |
|
User is not authorized to delete a connector. |
|
|
|
User is deleting a rule. |
|
User is not authorized to delete a rule. |
|
|
|
User is deleting an ad hoc run. |
|
User is not authorized to delete an ad hoc run. |
|
|
|
User is deleting a space. |
|
User is not authorized to delete a space. |
|
|
|
User is deleting a case. |
|
User is not authorized to delete a case. |
|
|
|
User is deleting all comments associated with a case. |
|
User is not authorized to delete all comments associated with a case. |
|
|
|
User is deleting a case comment. |
|
User is not authorized to delete a case comment. |
|
|
|
User has removed a case assignee. |
|
|
User has deleted a case comment. |
|
|
User has deleted a case. |
|
|
User has removed tags from a case. |
|
|
Deleting anomaly detection job. |
|
Failed to delete anomaly detection job. |
|
|
|
Deleting model snapshot. |
|
Failed to delete model snapshot. |
|
|
|
Deleting anomaly detection datafeed. |
|
Failed to delete anomaly detection datafeed. |
|
|
|
Deleting calendar. |
|
Failed to delete calendar. |
|
|
|
Deleting calendar event. |
|
Failed to delete calendar event. |
|
|
|
Deleting filter. |
|
Failed to delete filter. |
|
|
|
Deleting forecast. |
|
Failed to delete forecast. |
|
|
|
Deleting data frame analytics job. |
|
Failed to delete data frame analytics job. |
|
|
|
Deleting trained model. |
|
Failed to delete trained model. |
|
Type: accessedit |
||
Action |
Outcome |
Description |
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object as part of a search operation. |
|
User is not authorized to search for saved objects. |
|
|
|
User has accessed a connector. |
|
User is not authorized to access a connector. |
|
|
|
User has accessed a connector as part of a search operation. |
|
User is not authorized to search for connectors. |
|
|
|
User has accessed a rule. |
|
User is not authorized to access a rule. |
|
|
|
User has accessed execution log for a rule. |
|
User is not authorized to access execution log for a rule. |
|
|
|
User has accessed a rule as part of a search operation. |
|
User is not authorized to search for rules. |
|
|
|
User has accessed a rule as part of a backfill schedule operation. |
|
User is not authorized to access rule for backfill scheduling. |
|
|
|
User has accessed an ad hoc run. |
|
User is not authorized to access ad hoc run. |
|
|
|
User has accessed an ad hoc run as part of a search operation. |
|
User is not authorized to search for ad hoc runs. |
|
|
|
User has accessed a space. |
|
User is not authorized to access a space. |
|
|
|
User has accessed a space as part of a search operation. |
|
User is not authorized to search for spaces. |
|
|
|
User has accessed an alert. |
|
User is not authorized to access an alert. |
|
|
|
User has accessed an alert as part of a search operation. |
|
User is not authorized to access alerts. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed multiple cases. |
|
User is not authorized to access multiple cases. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case as part of a search operation. |
|
User is not authorized to search for cases. |
|
|
|
User has accessed cases. |
|
User is not authorized to access cases. |
|
|
|
User has accessed metrics for a case. |
|
User is not authorized to access metrics for a case. |
|
|
|
User has accessed metrics for cases. |
|
User is not authorized to access metrics for cases. |
|
|
|
User has accessed a case configuration as part of a search operation. |
|
User is not authorized to search for case configurations. |
|
|
|
User has accessed metrics for case comments. |
|
User is not authorized to access metrics for case comments. |
|
|
|
User has accessed case alerts. |
|
User is not authorized to access case alerts. |
|
|
|
User has accessed a case comment. |
|
User is not authorized to access a case comment. |
|
|
|
User has accessed multiple case comments. |
|
User is not authorized to access multiple case comments. |
|
|
|
User has accessed case comments. |
|
User is not authorized to access case comments. |
|
|
|
User has accessed a case comment as part of a search operation. |
|
User is not authorized to search for case comments. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case as part of a search operation. |
|
User is not authorized to search for cases. |
|
|
|
User has accessed the user activity of a case. |
|
User is not authorized to access the user activity of a case. |
|
|
|
User has accessed the user activity of a case as part of a search operation. |
|
User is not authorized to access the user activity of a case. |
|
|
|
User has accessed metrics for the user activity of a case. |
|
User is not authorized to access metrics for the user activity of a case. |
|
|
|
User has accessed the users associated with a case. |
|
User is not authorized to access the users associated with a case. |
|
|
|
User has accessed the connectors of a case. |
|
User is not authorized to access the connectors of a case. |
|
|
|
Inferring using trained model. |
|
Failed to infer using trained model. |
|
Category: webedit |
||
Action |
Outcome |
Description |
|
|
User is making an HTTP request. |
Audit schema
editAudit logs are written in JSON using Elastic Common Schema (ECS) specification.
Base Fieldsedit |
|
Field |
Description |
|
Time when the event was generated. Example: |
|
Human readable description of the event. |
Event Fieldsedit |
|
Field |
Description |
The action captured by the event. Refer to Audit events for a table of possible actions. |
|
High level category associated with the event. This field is closely related to Possible values:
|
|
Subcategory associated with the event. This field can be used along with the Possible values:
|
|
|
Denotes whether the event represents a success or failure:
Possible values:
|
|
User Fieldsedit |
|
Field |
Description |
|
Unique identifier of the user across sessions (See user profiles). |
|
Login name of the user. Example: |
|
Set of user roles at the time of the event. Example: |
Kibana Fieldsedit |
|
Field |
Description |
|
ID of the space associated with the event. Example: |
|
ID of the user session associated with the event. Each login attempt results in a unique session id. |
|
Type of saved object associated with the event. Example: |
|
ID of the saved object associated with the event. |
|
Name of the authentication provider associated with the event. Example: |
|
Type of the authentication provider associated with the event. Example: |
|
Name of the Elasticsearch realm that has authenticated the user. Example: |
|
Name of the Elasticsearch realm where the user details were retrieved from. Example: |
|
Set of space IDs that a saved object is being shared to as part of the event. Example: |
|
Set of space IDs that a saved object is being removed from as part of the event. Example: |
Error Fieldsedit |
|
Field |
Description |
|
Error code describing the error. |
|
Error message. |
HTTP and URL Fieldsedit |
|
Field |
Description |
|
Client IP address. |
|
HTTP request method. Example: |
|
Example: |
|
Domain of the URL. Example: |
|
Path of the request. Example: |
|
Port of the request. Example: |
|
The query field describes the query string of the request. Example: |
|
Scheme of the request. Example: |
Tracing Fieldsedit |
|
Field |
Description |
Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be correlated. |
|
Correlating audit events
editAudit events can be correlated in two ways:
- Multiple Kibana audit events that resulted from the same request can be correlated together.
- If Elasticsearch audit logging is enabled, Kibana audit events from one request can be correlated with backend calls that create Elasticsearch audit events.
The examples below are simplified, many fields have been omitted and values have been shortened for clarity.
Example 1: correlating multiple Kibana audit events
editWhen "thom" creates a new alerting rule, five audit events are written:
{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}}
{"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
{"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}
All of these audit events can be correlated together by the same trace.id value "e300e06...". The first event is the HTTP API call, the
next audit events are checks to validate the space and the connectors, and the last audit event is the actual rule creation.
Example 2: correlating a Kibana audit event with Elasticsearch audit events
editWhen "thom" logs in, a "user_login" Kibana audit event is written:
{"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"kibana":{"session_id":"ab93zdA..."},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T09:40:39.267-05:00","message":"User [thom] has logged in using basic provider [name=basic]","trace":{"id":"818cbf3..."}}
The trace.id value "818cbf3..." in the Kibana audit event can be correlated with the opaque_id value in these six Elasticsearch audit events:
{"type":"audit", "timestamp":"2022-01-25T09:40:38,604-0500", "event.action":"access_granted", "user.name":"thom", "user.roles":["superuser"], "request.id":"YCx8wxs...", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index", "request.name":"IndexRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk", "request.name":"BulkRequest", "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index:op_type/create", "request.name":"BulkItemRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
{"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
The Elasticsearch audit events show that "thom" authenticated, then subsequently "kibana_system" created a session for that user.