Hello.
I have an ELK stack hosted on elastic cloud. I have multiple different customers who regularly log in to view their respected dashboards.
I would like to collect logs showing successful and unsuccessful login attempts.
I used the API to see which setting i have enabled, and the only one concerning xpack was:
xpack.monitoring.collection.enabled: true
So my question is, what concrete steps should i take to log and collect the events mentioned above?
Especially what settings should i change, and where?
I know how to use the APIs and that i can modify elasticsearch.yml and Kibana.yml in the edit section of the cloud management dashboard, i just don't understand what exactly i'm supposed to do.
Thank you in advance.
Hi, @Pheebzer.
It looks like you want to use Elasticsearch Security Audit. https://www.elastic.co/guide/en/elasticsearch/reference/7.4/auditing.html
It provides the next events (from https://www.elastic.co/guide/en/elasticsearch/reference/7.4/audit-event-types.html):
authentication_success - Logged when a user successfully authenticates.
authentication_failed - Logged when the authentication token cannot be matched to a known user.|
If you use Kibana Spaces and want to audit access to spaces you should use Kibana Audit Logging https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html
Thank you @Mikhail_Shustov, this is exactly what i wanted!
However i now have another problem: Editing and then saving the elasticsearch.yml in the cloud dashboard returns xpack.security.audit.enabled is not allowed.
This happens for every other setting as well. Normally i would just edit the files manually, but because this is a cloud hosted version i cannot do that. Any ideas why i'm not allowed to change the settings?
Oh, I see. It's a known limitation. https://www.elastic.co/guide/en/cloud/current/ec-restrictions.html
Could you write to the cloud support and describe the problem? They can help you to enable this functionality.