Audit authentication failed

Ludovic9 · January 24, 2020, 4:05pm

Hi,
I'm using elk stack in version 6.8.3, I have enabled security function, it's OK. Each beats needs an account to send logs to elasticsearch.

But I would like to track the authentication failed from agent and from Kibana.

I have this in elasticsearch.yml :

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ "logfile" ]
xpack.security.audit.logfile.events.include: ["access_denied", "authentication_failed", "connection_denied", "anonymous_access_denied", "run_as_denied"]

I have put this on each node.

and in kibana.yml I have this :

logging.dest: "/var/log/kibana.log"
xpack.security.audit.enabled: true
server.ssl.enabled: true

I have restarted kibana and elasticsearch, I have configured winlogbeat with a wrong password, I don't see this server in my access.log or audit.log.

I see information in gc.log.0.current but it's not interesting.

What I have missed ?

Thank you for your help.

system · February 21, 2020, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get audit logs on authentication_failed Elasticsearch elastic-stack-security	4	465	April 9, 2020
Collect logs about users logging in to Kibana Kibana	4	8087	December 13, 2019
ELK 7.3 Elasticsearch	4	373	April 9, 2020
Audit logs on ES 7.16.3 Elasticsearch elastic-stack-security	3	422	March 14, 2022
Security audit index shows tons of fake failed authentications/min (5.1.1) - SOLVED Elasticsearch	3	1306	March 6, 2017

Audit authentication failed

Related topics