Configure audit logging

danil.kalmikov1 · March 12, 2025, 10:49am

Hello, Community.

I want to collect audit logs connected to user activity (like user create/delete, set/change password, create new role, delete role, change role, change user role, success/failed auth etc.) Is it possible to log all these actions?
For example, I found auth logs in elasticsearch.log. But get user creation/deletion events was difficult. For this, I prescribed the following construction in kibana.yml:
logging:
appenders:
audit_file:
type: file
fileName: /var/log/kibana/audit.log
layout:
type: json
loggers:
- name: plugins.security.audit
level: debug
appenders: [audit_file]
- name: plugins.security
level: debug
appenders: [audit_file]
- name: http.server.response
level: debug
appenders: [audit_file]
And only on level debug of http.server.response category i found this logs. So, are there any easier way to get this events? Has anyone encountered such a case?

leandrojmp · March 12, 2025, 1:21pm

It is possible if you have a paid license like platinum or enterprise, with the basic license it is not possible.

The documentation for enabling audit is here, did you check it already?

Topic		Replies	Views
User management audit events in Elasticsearch Elasticsearch	4	357	May 14, 2019
Audit Logging in kibana Kibana	6	345	April 14, 2020
Auditing for kibana Kibana elastic-stack-security	7	344	March 25, 2022
Capturing Comprehensive Kibana Audit Logs for User Activities Kibana	8	199	November 29, 2024
Log users and query in audit log Elasticsearch	8	8141	July 2, 2018

Configure audit logging

Related topics