How to enable kibana audit logs

how do i enable kibana audit logs?
Can anyone please tell me the steps to enable it in linux server.

You just need to set as True in your Kibana.yml file. That is all.

I have enabled it. But the data is not written to the audit file. Does it require any license version

Does it requires any configuration settings of elastic search and filebeat settings to be changed. I have been trying this from 10days but the audit logs are empty . Can you please provide me the solution.

What do you have set as logging.dest: in Kibana.yml? If that doesn't exist, it will write everything to stdout.

yes it has been set to stdout and commented it as i.e #logging.dest: stdout.
so where will these logs will be stored. can i set it to logs path and remove the comment of logging.dest?

kibana audit logs and std(out & err)logs are different right?
I can see log_kibana.out and log_kibana.err files in kibana folder. But what i want is audit logs which include audit events like access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted.
Can you please guide me how to enable them . And in which file and where will this output gets generated .

The kibana audit logs will be in the same location.
Audit logging uses the standard Kibana logging output, which can be configured in the kibana.yml

There are some different elasticsearch audit logs as well, which are enabled differently and log in a different location.

Thanks for your reply.
Does kibana or elasticsearch Audit logging requires any license subscriptions like gold or platinum license type ? Or this configuration to true in yml file is enough to write audit logs?

Indeed it needs to be Gold or Platinum license. Also, it works with the trial one as well.

We are using a Basic version but i don't see any changes impacting.
Where should i check them in my server?
Will the audit logs will work only for gold or platinum license only?
Can you please answer the question @Marius_Dragomir

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.