KIBANA : xpack.security.audit issue

hello,
I'm trying to make audit for kibana like this doc :
https://www.elastic.co/guide/en/kibana/7.11/security-settings-kb.html#audit-logging-settings

Here's my kib.yml :

--------------------------------- Audit --------------------------------------

xpack.security.audit.enabled: true
xpack.security.audit.appender:
kind: rolling-file
path: /var/log/kibana/audit.log
xpack.security.audit.appender.layout.kind: json
xpack.security.audit.appender.policy.kind: time-interval
xpack.security.audit.appender.policy.interval: 24h
xpack.security.audit.appender.strategy.kind: numeric
xpack.security.audit.appender.strategy.max: 365

and here's error log :

Feb 24 14:23:35 srv-syslog kibana: FATAL Error: [config validation of [path]]: could not parse object value from json input
Feb 24 14:23:35 srv-syslog systemd: kibana.service: main process exited, code=exited, status=1/FAILURE
Feb 24 14:23:35 srv-syslog systemd: Unit kibana.service entered failed state.
Feb 24 14:23:35 srv-syslog systemd: kibana.service failed.
Feb 24 14:23:39 srv-syslog systemd: kibana.service holdoff time over, scheduling restart.

I'm sure i'm missing something or maybe syntax error in kib.yml but i don't know what.
Thanks for help.
Regards.
Alex.

Hey @Alex_Lum,

The pasted snippet is missing indentation. Can you verify that your actual kibana.yml has the kind and path properties indented like so:

xpack.security.audit.enabled: true
xpack.security.audit.appender:
   kind: rolling-file
   path: /var/log/kibana/audit.log
xpack.security.audit.appender.layout.kind: json
xpack.security.audit.appender.policy.kind: time-interval
xpack.security.audit.appender.policy.interval: 24h
xpack.security.audit.appender.strategy.kind: numeric
xpack.security.audit.appender.strategy.max: 365

yes, kind an path are intended with tabulations.

Interesting. I get the same error message when I remove the indentations, but the config snippet that I pasted to you above works just fine for me.

Are there any other parts of your kibana.yml file with missing indentations?

What happens if you change the config to not use the "nested" format:

xpack.security.audit.enabled: true
xpack.security.audit.appender.kind: rolling-file
xpack.security.audit.appender.path: /var/log/kibana/audit.log
xpack.security.audit.appender.layout.kind: json
xpack.security.audit.appender.policy.kind: time-interval
xpack.security.audit.appender.policy.interval: 24h
xpack.security.audit.appender.strategy.kind: numeric
xpack.security.audit.appender.strategy.max: 365

Not same error (i have already tested ;)), but it can't read some param.
BTW, i m in ELK 7.11.

Feb 24 17:23:57 srv-syslog kibana: FATAL Error: [config validation of [xpack.security].audit.appender]: definition for this key is missing
Feb 24 17:23:57 srv-syslog systemd: kibana.service: main process exited, code=exited, status=1/FAILURE
Feb 24 17:23:57 srv-syslog systemd: Unit kibana.service entered failed state.
Feb 24 17:23:57 srv-syslog systemd: kibana.service failed.
Feb 24 17:24:00 srv-syslog systemd: kibana.service holdoff time over, scheduling restart.

Would you mind sharing your full kibana.yml file, so I can try to reproduce this on my machine? I'll DM you a link with instructions to upload it, so we don't lose anything in translation between these discussion boards.

HEllo Larry,
I've upload kibana.yml using your link. Thanks for help.

Thanks @Alex_Lum , that was helpful.

yes, kind an path are intended with tabulations.

I should have noticed this earlier. Can you replace the tabulations with spaces? Using the file you sent, replacing the single tab with two spaces worked for me

Hello Larry,
Same as not use nested format :

Feb 25 13:50:28 srv-syslog kibana: FATAL Error: [config validation of [xpack.security].audit.appender]: definition for this key is missing
Feb 25 13:50:28 srv-syslog systemd: kibana.service: main process exited, code=exited, status=1/FAILURE
Feb 25 13:50:28 srv-syslog systemd: Unit kibana.service entered failed state.

Tested with one space and with two spaces.

Thanks, I'll keep digging and let you know what I find. Configuration shouldn't be this hard! I'm sorry you're having so much trouble getting this up and running

Ok Larry, i will wait :wink:

Alright, two things:

  1. xpack.security.audit.appender.strategy.max has a maximum value of 100. This isn't causing your current problem, but it'll be the next problem that Kibana will complain about.

  2. The only way I can reproduce this specific error ( FATAL Error: [config validation of [xpack.security].audit.appender]: definition for this key is missing) is to declare this config in an older version of Kibana: for example, 7.10. Sorry for the silly question, but are you absolutely sure that you're running version 7.11.1? Is it possible for you to reinstall Kibana into a fresh location?

My bad :frowning: here's i see on stack managment

Welcome to Stack Management 7.10.2

I installed kibana from sources because yum and rpm packages were corrupted (unable to extract).
I just saw that on 17/02/2021 there are new versions.
I m really sorry for this.
I will try to reinstall kibana from yum and from source if it's does not work.

Thanks for max hint :wink:
I will try tomorrow or this afternoon and let you know if it's work or not.

Thank you Larry.

No worries, I'm glad we [probably] found the root cause! Let me know how you make out with the upgrade

Hello Larry,
i m trying to install latest kibana version (7.11.1) but yum package can't be unpacked and same for sources, some files cannot be untared. I will create a new topic for that and edit this one when i can test.
Regards.

everything is working good now.
Thank you larry.
Case can be closed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.