Collect logs about users logging in to Kibana

I have an ELK stack hosted on elastic cloud. I have multiple different customers who regularly log in to view their respected dashboards.

I would like to collect logs showing successful and unsuccessful login attempts.

I used the API to see which setting i have enabled, and the only one concerning xpack was:
xpack.monitoring.collection.enabled: true

So my question is, what concrete steps should i take to log and collect the events mentioned above?
Especially what settings should i change, and where?

I know how to use the APIs and that i can modify elasticsearch.yml and Kibana.yml in the edit section of the cloud management dashboard, i just don't understand what exactly i'm supposed to do.

Thank you in advance.

Hi, @Pheebzer.
It looks like you want to use Elasticsearch Security Audit.
It provides the next events (from
authentication_success - Logged when a user successfully authenticates.
authentication_failed - Logged when the authentication token cannot be matched to a known user.|

If you use Kibana Spaces and want to audit access to spaces you should use Kibana Audit Logging

Thank you @Mikhail_Shustov, this is exactly what i wanted!

However i now have another problem: Editing and then saving the elasticsearch.yml in the cloud dashboard returns is not allowed.

This happens for every other setting as well. Normally i would just edit the files manually, but because this is a cloud hosted version i cannot do that. Any ideas why i'm not allowed to change the settings?

Oh, I see. It's a known limitation.
Could you write to the cloud support and describe the problem? They can help you to enable this functionality.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.