How to enable kibana audit logs

mounikasony · March 12, 2020, 6:39am

how do i enable kibana audit logs?
Can anyone please tell me the steps to enable it in linux server.

Marius_Dragomir · March 12, 2020, 5:01pm

You just need to set xpack.security.audit.enabled as True in your Kibana.yml file. That is all.

mounikasony · March 12, 2020, 5:31pm

I have enabled it. But the data is not written to the audit file. Does it require any license version
?

mounikasony · March 12, 2020, 5:35pm

Does it requires any configuration settings of elastic search and filebeat settings to be changed. I have been trying this from 10days but the audit logs are empty . Can you please provide me the solution.
Thanks

Marius_Dragomir · March 12, 2020, 11:49pm

What do you have set as logging.dest: in Kibana.yml? If that doesn't exist, it will write everything to stdout.

mounikasony · March 13, 2020, 2:45am

yes it has been set to stdout and commented it as i.e #logging.dest: stdout.
so where will these logs will be stored. can i set it to logs path and remove the comment of logging.dest?

mounikasony · March 13, 2020, 5:02am

kibana audit logs and std(out & err)logs are different right?
I can see log_kibana.out and log_kibana.err files in kibana folder. But what i want is audit logs which include audit events like access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted.
Can you please guide me how to enable them . And in which file and where will this output gets generated .

Marius_Dragomir · March 13, 2020, 12:23pm

The kibana audit logs will be in the same location.
https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html
Audit logging uses the standard Kibana logging output, which can be configured in the kibana.yml

There are some different elasticsearch audit logs as well, which are enabled differently and log in a different location.
https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html

mounikasony · March 14, 2020, 11:35am

Thanks for your reply.
Does kibana or elasticsearch Audit logging requires any license subscriptions like gold or platinum license type ? Or this configuration xpack.security.audit.enabled to true in yml file is enough to write audit logs?

Marius_Dragomir · March 17, 2020, 1:05pm

Indeed it needs to be Gold or Platinum license. Also, it works with the trial one as well.

mounikasony · April 6, 2020, 1:06pm

We are using a Basic version but i don't see any changes impacting.
Where should i check them in my server?
Will the audit logs will work only for gold or platinum license only?
Can you please answer the question @Marius_Dragomir

system · May 4, 2020, 1:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.