Audit logsedit
Audit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.
Use the Kibana audit logs in conjunction with Elasticsearch audit logging to get a holistic view of all security related events. Kibana defers to the Elasticsearch security model for authentication, data index authorization, and features that are driven by cluster-wide privileges. For more information on enabling audit logging in Elasticsearch, refer to Auditing security events.
Audit logs are disabled by default. To enable this functionality, you must
set xpack.security.audit.enabled
to true
in kibana.yml
.
You can optionally configure audit logs location, file/rolling file appenders and ignore filters using Audit logging settings.
Audit eventsedit
Refer to the table of events that can be logged for auditing purposes.
Each event is broken down into category, type, action and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.
Refer to Audit schema for a table of fields that get logged with audit event.
To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from Elasticsearch is received. Refer to the corresponding Elasticsearch logs for potential write errors.
Category: authenticationedit |
||
Action |
Outcome |
Description |
|
|
User has logged in successfully. |
|
Failed login attempt (e.g. due to invalid credentials). |
|
|
|
User is logging out. |
|
|
Removing invalid or expired session. |
|
n/a |
User has acknowledged the access agreement. |
Action |
Outcome |
Description |
|
|
User is creating a saved object. |
|
User is not authorized to create a saved object. |
|
|
|
User is creating a Point In Time to use when querying saved objects. |
|
User is not authorized to create a Point In Time for the provided saved object types. |
|
|
|
User is creating a connector. |
|
User is not authorized to create a connector. |
|
|
|
User is creating a rule. |
|
User is not authorized to create a rule. |
|
|
|
User is creating a space. |
|
User is not authorized to create a space. |
|
|
|
User is creating a case. |
|
User is not authorized to create a case. |
|
|
|
User is creating a case configuration. |
|
User is not authorized to create a case configuration. |
|
|
|
User is creating a case comment. |
|
User is not authorized to create a case comment. |
|
|
|
User is creating multiple case comments. |
|
User is not authorized to create multiple case comments. |
|
|
|
User has created a case comment. |
|
|
User has created a case. |
Type: changeedit |
||
Action |
Outcome |
Description |
|
|
User is updating a saved object. |
|
User is not authorized to update a saved object. |
|
|
|
User is adding and/or removing a saved object to/from other spaces. |
|
User is not authorized to add or remove a saved object to or from other spaces. |
|
|
|
User is removing references to a saved object. |
|
User is not authorized to remove references to a saved object. |
|
|
|
User has accessed references to a multi-space saved object. |
|
User is not authorized to access references to a multi-space saved object. |
|
|
|
User is updating a connector. |
|
User is not authorized to update a connector. |
|
|
|
User is updating a rule. |
|
User is not authorized to update a rule. |
|
|
|
User is updating the API key of a rule. |
|
User is not authorized to update the API key of a rule. |
|
|
|
User is enabling a rule. |
|
User is not authorized to enable a rule. |
|
|
|
User is disabling a rule. |
|
User is not authorized to disable a rule. |
|
|
|
User is muting a rule. |
|
User is not authorized to mute a rule. |
|
|
|
User is unmuting a rule. |
|
User is not authorized to unmute a rule. |
|
|
|
User is muting an alert. |
|
User is not authorized to mute an alert. |
|
|
|
User is unmuting an alert. |
|
User is not authorized to unmute an alert. |
|
|
|
User is updating a space. |
|
User is not authorized to update a space. |
|
|
|
User is updating an alert. |
|
User is not authorized to update an alert. |
|
|
|
User is snoozing a rule. |
|
User is not authorized to snooze a rule. |
|
|
|
User is unsnoozing a rule. |
|
User is not authorized to unsnooze a rule. |
|
|
|
User is updating a case. |
|
User is not authorized to update a case. |
|
|
|
User is pushing a case to an external service. |
|
User is not authorized to push a case to an external service. |
|
|
|
User is updating a case configuration. |
|
User is not authorized to update a case configuration. |
|
|
|
User is updating a case comment. |
|
User is not authorized to update a case comment. |
|
|
|
User has added a case assignee. |
|
|
User has updated a case connector. |
|
|
User has updated a case description. |
|
|
User has updated the case settings. |
|
|
User has updated the case severity. |
|
|
User has updated the case status. |
|
|
User has pushed a case to an external service. |
|
|
User has added tags to a case. |
|
|
User has updated the case title. |
Type: deletionedit |
||
Action |
Outcome |
Description |
|
|
User is deleting a saved object. |
|
User is not authorized to delete a saved object. |
|
|
|
User is deleting a Point In Time that was used to query saved objects. |
|
User is not authorized to delete a Point In Time. |
|
|
|
User is deleting a connector. |
|
User is not authorized to delete a connector. |
|
|
|
User is deleting a rule. |
|
User is not authorized to delete a rule. |
|
|
|
User is deleting a space. |
|
User is not authorized to delete a space. |
|
|
|
User is deleting a case. |
|
User is not authorized to delete a case. |
|
|
|
User is deleting all comments associated with a case. |
|
User is not authorized to delete all comments associated with a case. |
|
|
|
User is deleting a case comment. |
|
User is not authorized to delete a case comment. |
|
|
|
User has removed a case assignee. |
|
|
User has deleted a case comment. |
|
|
User has deleted a case. |
|
|
User has removed tags from a case. |
Type: accessedit |
||
Action |
Outcome |
Description |
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object. |
|
User is not authorized to access a saved object. |
|
|
|
User has accessed a saved object as part of a search operation. |
|
User is not authorized to search for saved objects. |
|
|
|
User has accessed a connector. |
|
User is not authorized to access a connector. |
|
|
|
User has accessed a connector as part of a search operation. |
|
User is not authorized to search for connectors. |
|
|
|
User has accessed a rule. |
|
User is not authorized to access a rule. |
|
|
|
User has accessed execution log for a rule. |
|
User is not authorized to access execution log for a rule. |
|
|
|
User has accessed a rule as part of a search operation. |
|
User is not authorized to search for rules. |
|
|
|
User has accessed a space. |
|
User is not authorized to access a space. |
|
|
|
User has accessed a space as part of a search operation. |
|
User is not authorized to search for spaces. |
|
|
|
User has accessed an alert. |
|
User is not authorized to access an alert. |
|
|
|
User has accessed an alert as part of a search operation. |
|
User is not authorized to access alerts. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed multiple cases. |
|
User is not authorized to access multiple cases. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case as part of a search operation. |
|
User is not authorized to search for cases. |
|
|
|
User has accessed cases. |
|
User is not authorized to access cases. |
|
|
|
User has accessed metrics for a case. |
|
User is not authorized to access metrics for a case. |
|
|
|
User has accessed metrics for cases. |
|
User is not authorized to access metrics for cases. |
|
|
|
User has accessed a case configuration as part of a search operation. |
|
User is not authorized to search for case configurations. |
|
|
|
User has accessed metrics for case comments. |
|
User is not authorized to access metrics for case comments. |
|
|
|
User has accessed case alerts. |
|
User is not authorized to access case alerts. |
|
|
|
User has accessed a case comment. |
|
User is not authorized to access a case comment. |
|
|
|
User has accessed multiple case comments. |
|
User is not authorized to access multiple case comments. |
|
|
|
User has accessed case comments. |
|
User is not authorized to access case comments. |
|
|
|
User has accessed a case comment as part of a search operation. |
|
User is not authorized to search for case comments. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case. |
|
User is not authorized to access a case. |
|
|
|
User has accessed a case as part of a search operation. |
|
User is not authorized to search for cases. |
|
|
|
User has accessed the user activity of a case. |
|
User is not authorized to access the user activity of a case. |
|
|
|
User has accessed the user activity of a case as part of a search operation. |
|
User is not authorized to access the user activity of a case. |
|
|
|
User has accessed metrics for the user activity of a case. |
|
User is not authorized to access metrics for the user activity of a case. |
|
|
|
User has accessed the users associated with a case. |
|
User is not authorized to access the users associated with a case. |
|
|
|
User has accessed the connectors of a case. |
|
User is not authorized to access the connectors of a case. |
|
Category: webedit |
||
Action |
Outcome |
Description |
|
|
User is making an HTTP request. |
Audit schemaedit
Audit logs are written in JSON using Elastic Common Schema (ECS) specification.
Base Fieldsedit |
|
Field |
Description |
|
Time when the event was generated. Example: |
|
Human readable description of the event. |
Event Fieldsedit |
|
Field |
Description |
The action captured by the event. Refer to Audit events for a table of possible actions. |
|
High level category associated with the event. This field is closely related to Possible values:
|
|
Subcategory associated with the event. This field can be used along with the Possible values:
|
|
Denotes whether the event represents a success or failure:
Possible values:
|
|
User Fieldsedit |
|
Field |
Description |
|
Unique identifier of the user across sessions (See user profiles). |
|
Login name of the user. Example: |
|
Set of user roles at the time of the event. Example: |
Kibana Fieldsedit |
|
Field |
Description |
|
ID of the space associated with the event. Example: |
|
ID of the user session associated with the event. Each login attempt results in a unique session id. |
|
Type of saved object associated with the event. Example: |
|
ID of the saved object associated with the event. |
|
Name of the authentication provider associated with the event. Example: |
|
Type of the authentication provider associated with the event. Example: |
|
Name of the Elasticsearch realm that has authenticated the user. Example: |
|
Name of the Elasticsearch realm where the user details were retrieved from. Example: |
|
Set of space IDs that a saved object is being shared to as part of the event. Example: |
|
Set of space IDs that a saved object is being removed from as part of the event. Example: |
Error Fieldsedit |
|
Field |
Description |
|
Error code describing the error. |
|
Error message. |
HTTP and URL Fieldsedit |
|
Field |
Description |
|
Client IP address. |
|
HTTP request method. Example: |
|
Example: |
|
Domain of the URL. Example: |
|
Path of the request. Example: |
|
Port of the request. Example: |
|
The query field describes the query string of the request. Example: |
|
Scheme of the request. Example: |
Tracing Fieldsedit |
|
Field |
Description |
Unique identifier allowing events of the same transaction from Kibana and Elasticsearch to be correlated. |
Correlating audit eventsedit
Audit events can be correlated in two ways:
- Multiple Kibana audit events that resulted from the same request can be correlated together.
- If Elasticsearch audit logging is enabled, Kibana audit events from one request can be correlated with backend calls that create Elasticsearch audit events.
The examples below are simplified, many fields have been omitted and values have been shortened for clarity.
Example 1: correlating multiple Kibana audit eventsedit
When "thom" creates a new alerting rule, five audit events are written:
{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}} {"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}} {"event":{"action":"rule_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"alert","id":"64517c3..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User is creating rule [id=64517c3...]","trace":{"id":"e300e06..."}}
All of these audit events can be correlated together by the same trace.id
value "e300e06..."
. The first event is the HTTP API call, the
next audit events are checks to validate the space and the connectors, and the last audit event is the actual rule creation.
Example 2: correlating a Kibana audit event with Elasticsearch audit eventsedit
When "thom" logs in, a "user_login" Kibana audit event is written:
{"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"kibana":{"session_id":"ab93zdA..."},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T09:40:39.267-05:00","message":"User [thom] has logged in using basic provider [name=basic]","trace":{"id":"818cbf3..."}}
The trace.id
value "818cbf3..."
in the Kibana audit event can be correlated with the opaque_id
value in these six Elasticsearch audit events:
{"type":"audit", "timestamp":"2022-01-25T09:40:38,604-0500", "event.action":"access_granted", "user.name":"thom", "user.roles":["superuser"], "request.id":"YCx8wxs...", "action":"cluster:admin/xpack/security/user/authenticate", "request.name":"AuthenticateRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index", "request.name":"IndexRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk", "request.name":"BulkRequest", "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/index:op_type/create", "request.name":"BulkItemRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."} {"type":"audit", "timestamp":"2022-01-25T09:40:38,613-0500", "event.action":"access_granted", "user.name":"kibana_system", "user.roles":["kibana_system"], "request.id":"Ksx73Ad...", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":[".kibana_security_session_1"], "opaque_id":"818cbf3..."}
The Elasticsearch audit events show that "thom" authenticated, then subsequently "kibana_system" created a session for that user.