Audit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor {kib} for suspicious activity and provides evidence in the event of an attack.
Use the {kib} audit logs in conjunction with {ref}/enable-audit-logging.html[{es} audit logging] to get a holistic view of all security related events. {kib} defers to the {es} security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in {es}, refer to {ref}/auditing.html[Auditing security events].
Important
|
Kibana offers two audit logs: a deprecated legacy audit logger, and a new ECS-compliant audit logger. We strongly advise using the ECS audit logger, as the legacy audit logger will be removed in an upcoming version. |
Note
|
Audit logs are disabled by default. To enable this functionality, you must
set |
The legacy audit logger uses the standard {kib} logging output,
which can be configured in kibana.yml
. For more information, refer to [settings].
The ECS audit logger uses a separate logger and can be configured using
the options in [audit-logging-settings].
When you are auditing security events, each request can generate multiple audit events. The following is a list of the events that can be generated:
|
Logged when a user is authorized to access a saved objects when using a role with [kibana-privileges] |
|
Logged when a user isn’t authorized to access a saved objects when using a role with [kibana-privileges] |
Important
|
The following events are only logged if the ECS audit logger is enabled.
For information on how to configure |
Refer to the table of events that can be logged for auditing purposes.
Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs.
Refer to ECS audit schema for a table of fields that get logged with audit event.
Note
|
To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from {es} is received. Refer to the corresponding {es} logs for potential write errors. |
Action |
Outcome |
Description |
|
|
User has logged in successfully. |
|
Failed login attempt (e.g. due to invalid credentials). |
|
Action |
Outcome |
Description |
|
|
User is creating a saved object. |
|
User is not authorized to create a saved object. |
|
|
|
User is creating a Point In Time to use when querying saved objects. |
|
User is not authorized to create a Point In Time for the provided saved object types. |
|
|
|
User is creating a connector. |
|
User is not authorized to create a connector. |
|
|
|
User is creating a rule. |
|
User is not authorized to create a rule. |
|
|
|
User is creating a space. |
|
User is not authorized to create a space. |
|
Action |
Outcome |
Description |
|
|
User is updating a saved object. |
|
User is not authorized to update a saved object. |
|
|
|
User is adding a saved object to other spaces. |
|
User is not authorized to add a saved object to other spaces. |
|
|
|
User is removing a saved object from other spaces. |
|
User is not authorized to remove a saved object from other spaces. |
|
|
|
User is removing references to a saved object. |
|
User is not authorized to remove references to a saved object. |
|
|
|
User is updating a connector. |
|
User is not authorized to update a connector. |
|
|
|
User is updating a rule. |
|
User is not authorized to update a rule. |
|
|
|
User is updating the API key of a rule. |
|
User is not authorized to update the API key of a rule. |
|
|
|
User is enabling a rule. |
|
User is not authorized to enable a rule. |
|
|
|
User is disabling a rule. |
|
User is not authorized to disable a rule. |
|
|
|
User is muting a rule. |
|
User is not authorized to mute a rule. |
|
|
|
User is unmuting a rule. |
|
User is not authorized to unmute a rule. |
|
|
|
User is muting an alert. |
|
User is not authorized to mute an alert. |
|
|
|
User is unmuting an alert. |
|
User is not authorized to unmute an alert. |
|
|
|
User is updating a space. |
|
User is not authorized to update a space. |
|
Action |
Outcome |
Description |
|
|
User is deleting a saved object. |
|
User is not authorized to delete a saved object. |
|
|
|
User is deleting a Point In Time that was used to query saved objects. |
|
User is not authorized to delete a Point In Time. |
|
|
|
User is deleting a connector. |
|
User is not authorized to delete a connector. |
|
|
|
User is deleting a rule. |
|
User is not authorized to delete a rule. |
|
|
|
User is deleting a space. |
|
User is not authorized to delete a space. |
|
Action |
Outcome |
Description |
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object as part of a search operation. |
|
User is not authorized to search for saved objects. |
|
|
|
User has accessed a connector. |
|
User is not authorized to access a connector. |
|
|
|
User has accessed a connector as part of a search operation. |
|
User is not authorized to search for connectors. |
|
|
|
User has accessed a rule. |
|
User is not authorized to access a rule. |
|
|
|
User has accessed a rule as part of a search operation. |
|
User is not authorized to search for rules. |
|
|
|
User has accessed a space. |
|
User is not authorized to access a space. |
|
|
|
User has accessed a space as part of a search operation. |
|
User is not authorized to search for spaces. |
|
Action |
Outcome |
Description |
|
|
User is making an HTTP request. |
Audit logs are written in JSON using Elastic Common Schema (ECS) specification.
Field |
Description |
|
Time when the event was generated. Example: |
|
Human readable description of the event. |
Field |
Description |
The action captured by the event. Refer to ECS audit events for a table of possible actions. |
|
High level category associated with the event. This field is closely related to Possible values:
|
|
Subcategory associated with the event. This field can be used along with the Possible values:
|
|
Denotes whether the event represents a success or failure. Possible values:
|
|
Field |
Description |
|
Login name of the user. Example: |
|
Set of user roles at the time of the event. Example: |
Field |
Description |
|
ID of the space associated with the event. Example: |
|
ID of the user session associated with the event. Each login attempt results in a unique session id. |
|
Type of saved object associated with the event. Example: |
|
ID of the saved object associated with the event. |
|
Name of the authentication provider associated with the event. Example: |
|
Type of the authentication provider associated with the event. Example: |
|
Name of the Elasticsearch realm that has authenticated the user. Example: |
|
Name of the Elasticsearch realm where the user details were retrieved from. Example: |
|
Set of space IDs that a saved object is being shared to as part of the event. Example: |
|
Set of space IDs that a saved object is being removed from as part of the event. Example: |
Field |
Description |
|
Error code describing the error. |
|
Error message. |
Field |
Description |
|
HTTP request method. Example: |
|
Domain of the url. Example: |
|
Path of the request. Example: |
|
Port of the request. Example: |
|
The query field describes the query string of the request. Example: |
|
Scheme of the request. Example: |
Field |
Description |
|
Unique identifier allowing events of the same transaction from {kib} and {es} to be be correlated. |