Detailed user audit logs for Kibana Dev tools

ES version: 7.3.2
X-pack: Platinum

We have OpenID based user authentication in Elasticsearch.
We need to check the activity done by users after they sign-in, especially the activity which involves running queries on Dev tools in Kibana.

The current audit logs do not show these details which we configured with the following configuration:

xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: true

We are getting logs like below with not granular level of details as required.

{"@timestamp":"2020-02-14T01:35:46,471", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"a0R5c5mZSI6M8cowuSAGDg", "action":"indices:data/read/scroll/clear", "request.name":"ClearScrollRequest"}
{"@timestamp":"2020-02-14T01:35:46,471", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"a0R5c5mZSI6M8cowuSAGDg", "action":"indices:data/read/search[free_context/scroll]", "request.name":"ScrollFreeContextRequest"}
{"@timestamp":"2020-02-14T01:35:56,475", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"H-fdWUC1Snidy7vPtA2oGA", "action":"indices:data/read/msearch", "request.name":"MultiSearchRequest"}

Is there any way we can get user email-id or user name at least under these logs? Is this a limitation from Elasticsearch?

Hi @soumendra,

Audit entries attributed to the user.name, which is running queries on Dev tools in Kibana, should be present in the audit log, among others. The entries that you've pasted above are generated by an internal system user of Elasticsearch (the _xpack_security username).

You might also be interested in the Kibana audit logs.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.