Audit authentication failed

Hi,
I'm using elk stack in version 6.8.3, I have enabled security function, it's OK. Each beats needs an account to send logs to elasticsearch.

But I would like to track the authentication failed from agent and from Kibana.

I have this in elasticsearch.yml :

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ "logfile" ]
xpack.security.audit.logfile.events.include: ["access_denied", "authentication_failed", "connection_denied", "anonymous_access_denied", "run_as_denied"]

I have put this on each node.

and in kibana.yml I have this :

logging.dest: "/var/log/kibana.log"
xpack.security.audit.enabled: true
server.ssl.enabled: true

I have restarted kibana and elasticsearch, I have configured winlogbeat with a wrong password, I don't see this server in my access.log or audit.log.

I see information in gc.log.0.current but it's not interesting.

What I have missed ?

Thank you for your help.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.