Capturing Comprehensive Kibana Audit Logs for User Activities

Elastic Stack Kibana
1

Hello Elastic Community,

I am looking to implement comprehensive Kibana audit logging to monitor user activities effectively. Specifically, I want to capture the following events:

  • User Login and Logout: I need to log when users log in and log out of Kibana. Currently, I understand that the login event is captured, but I would like to confirm how to also capture logout events, especially those initiated by the user and those due to session expiration.
  • User Actions: I want to track all actions performed by users, including:
    Creation and deletion of visualizations, dashboards, and alerts.
  • Accessing different spaces and saved objects.
  • Any other significant changes or interactions within Kibana.

I am currently using ELK version 7.11.1 with a Platinum License.

From my research, I found that enabling audit logging requires setting xpack.security.audit.enabled to true in the kibana.yml configuration file. I tried this, but it did not work for me.

Could anyone provide insights on the following:

  • What features or configurations are required to enable detailed audit logging in Kibana?
  • How to set up and collect audit logs efficiently?
  • Any best practices for parsing and analyzing these logs to make them actionable?
  • If there are specific security settings, plugins, or tools I need to configure or integrate, I’d greatly appreciate any insights or examples.

Thanks in advance for your help!

2

Are u using fleet server of filebeat?
for filebeat you will add the path of audit log:
filebeat.inputs:

  • type: log
    paths:
    • audit.log

for fleet add the integration

3

Audit logging information for your version is here: Audit logs | Kibana Guide [7.11] | Elastic

With xpack.security.audit.enabled: true enabling the basic audit logs -- configuring the appender is required for the remainder of the ECS logs.

The appender is configured like this:

xpack.security.audit.appender:
  kind: rolling-file
  path: ./audit.log
  policy:
    kind: time-interval
    interval: 24h 
  strategy:
    kind: numeric
    max: 10 
  layout:
    kind: json

The appender will write the ECS audit logs to a different file than the main kibana log.

4

Sorry to jump in the conversation, is it possible to capture Kibana audit logs in ELastic Security Serverless?

5

Hi,

I tried to add below config in Kibana.yml file, but Kibana failed to start.

xpack.security.audit.enabled: true
xpack.security.audit.appender:
 type: rolling-file
 fileName: /var/log/kibana/audit.log
  policy:
   type: time-interval
   interval: 24h 
 strategy:
   type: numeric
   max: 10 
  layout:
    type: json

Please advise

6

Can you provide the error kibana printed when it failed to start?

Is your cluster basic licensed?

7

Hi,
I encountered an indentation issue, but after resolving it, Kibana successfully started capturing logs. Below is the log entry I obtained. My next goal is to track specific user activities, such as:

User Actions:

  • Tracking all actions performed by users, including the creation and deletion of visualizations, dashboards, index/index patterns, and alerts.
  • Manual downloading of data through Discover or Visualizations.
  • Accessing different spaces and saved objects.
  • Any other significant changes or interactions within Kibana.

Log captured in the audit.log file:

{"@timestamp":"2024-11-26T07:44:06.369+00:00","message":"User [test_krish] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":7559},"ecs":{"version":"1.6.0"},"event":{"action":"user_login","category":"authentication","outcome":"success"},"user":{"name":"test_krish","roles":["data_role_all","viewer"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"default_native","lookup_realm":"default_native"},"trace":{"id":"bf410e25-abfd-4438-bf73-cefc1a9505ac"}}
8

Hi,

Can someone assist me with the following?

My next objective is to track specific user activities, including:

User Actions:

  • Monitoring all actions performed by users, such as creating or deleting visualizations, dashboards, index patterns, and alerts.
  • Tracking manual data downloads through Discover or Visualizations.
  • Recording access to different spaces and saved objects.
  • Capturing any other significant changes or interactions within Kibana.

Thank you!

9

The next step is likely to use Filebeat to read this log and forward it to a monitoring cluster.

You can review the documentation to understand what auditing events exist and then you can perform various actions to generate audit activity into your monitoring cluster which you can then visualize and alert on.