Collect logs about users logging in to Kibana

Hello.
I have an ELK stack hosted on elastic cloud. I have multiple different customers who regularly log in to view their respected dashboards.

I would like to collect logs showing successful and unsuccessful login attempts.

I used the API to see which setting i have enabled, and the only one concerning xpack was:
xpack.monitoring.collection.enabled: true

So my question is, what concrete steps should i take to log and collect the events mentioned above?
Especially what settings should i change, and where?

I know how to use the APIs and that i can modify elasticsearch.yml and Kibana.yml in the edit section of the cloud management dashboard, i just don't understand what exactly i'm supposed to do.

Thank you in advance.

Hi, @Pheebzer.
It looks like you want to use Elasticsearch Security Audit. https://www.elastic.co/guide/en/elasticsearch/reference/7.4/auditing.html
It provides the next events (from https://www.elastic.co/guide/en/elasticsearch/reference/7.4/audit-event-types.html):
authentication_success - Logged when a user successfully authenticates.
authentication_failed - Logged when the authentication token cannot be matched to a known user.|

If you use Kibana Spaces and want to audit access to spaces you should use Kibana Audit Logging https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html

Thank you @Mikhail_Shustov, this is exactly what i wanted!

However i now have another problem: Editing and then saving the elasticsearch.yml in the cloud dashboard returns xpack.security.audit.enabled is not allowed.

This happens for every other setting as well. Normally i would just edit the files manually, but because this is a cloud hosted version i cannot do that. Any ideas why i'm not allowed to change the settings?

Oh, I see. It's a known limitation. https://www.elastic.co/guide/en/cloud/current/ec-restrictions.html
Could you write to the cloud support and describe the problem? They can help you to enable this functionality.