Auditing for kibana

Elastic Stack Kibana
1

Hi All,

I'm trying to enable the auditing for kibana by adding the below configuration in the kibana.yml file

xpack.security.audit.enabled: true
and setting the logging destination option to the /var/log/kibana.log.

After doing all above still the file kibana.log is not created in that directory and no logs are there.

Requirement is to get the user details who are accessing the kibana. I have platinum subcription type for Elasticsearch.

Please guide me how can I enable the auditing for kibana.

2

Hi,

Auditing isn't done on the kibana service but on the Elasticsearch service.

Try doing the same but on your elastic node and in elasticsearch.yml.
I recommend just adding the xpack.security.audit.enabled: true and leaving the rest.
You can then find your audit log events in /var/log/elasticsearch/*_audit.json

Which in turn can be ingested by filebeats elasticsearch module for easy searching.

1 Like
3

will it provide info of the users who access the kibana?
and after adding xpack.security.audit.enabled: true, do I need to restart the Elasticsearch service?

4

There is Audit in Kibana as well, not only in Elasticsearch.

Your configuration is correct and issue is probably because the kibana user does not have permissions to write in the /var/log directory.

Try to create a /var/log/kibana/ directory, give the ownership of the directory /var/log/kibana/ to the kibana user and change your logging.dest to point to /var/log/kibana/kibana.log.

After you restart the service Kibana should be able to create the log file.

1 Like
5

My bad :sweat:

6

Hi Leandrojmp,

thanks for the solution, its working now but the logs doesn't shows users' information.
Is there any way to get info of the users who are accessing the kibana tool.

7

in logs the user-agent will give us the users right?

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.