Auditing isn't done on the kibana service but on the Elasticsearch service.
Try doing the same but on your elastic node and in elasticsearch.yml.
I recommend just adding the xpack.security.audit.enabled: true and leaving the rest.
You can then find your audit log events in /var/log/elasticsearch/*_audit.json
will it provide info of the users who access the kibana?
and after adding xpack.security.audit.enabled: true, do I need to restart the Elasticsearch service?
There is Audit in Kibana as well, not only in Elasticsearch.
Your configuration is correct and issue is probably because the kibana user does not have permissions to write in the /var/log directory.
Try to create a /var/log/kibana/ directory, give the ownership of the directory /var/log/kibana/ to the kibana user and change your logging.dest to point to /var/log/kibana/kibana.log.
After you restart the service Kibana should be able to create the log file.
thanks for the solution, its working now but the logs doesn't shows users' information.
Is there any way to get info of the users who are accessing the kibana tool.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.