Is there any ways to track down who created a dashboard and visualizaions? I do not see any options or places to indicate who created it, who was last person to modify it, and when. It will be very helpful when audit tons of the dashbords and visualizations. Please advise.
Thank you,
Shaw
Looked in the logs for the event when creating a visualization and I don't see who created it.
{
"type":"response",
"@timestamp":"2020-10-08T15:53:12Z",
"tags":[
],
"pid":7,
"method":"post",
"statusCode":200,
"req":{
"url":"/api/saved_objects/visualization?overwrite=true",
"method":"post",
"headers":{
"host":"localhost:5601",
"connection":"keep-alive",
"content-length":"881",
"kbn-version":"7.6.0",
"user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",
"content-type":"application/json",
"accept":"*/*",
"origin":"http://localhost:5601",
"sec-fetch-site":"same-origin",
"sec-fetch-mode":"cors",
"sec-fetch-dest":"empty",
"referer":"http://localhost:5601/app/kibana",
"accept-encoding":"gzip, deflate, br",
"accept-language":"en-US,en;q=0.9"
},
"remoteAddress":"172.19.0.1",
"userAgent":"172.19.0.1",
"referer":"http://localhost:5601/app/kibana"
},
"res":{
"statusCode":200,
"responseTime":996,
"contentLength":9
},
"message":"POST /api/saved_objects/visualization?overwrite=true 200 996ms - 9.0B"
}
Looked in the Kibana index and also in the exported JSON and can see updated time but not by whom.
So my answer is no unless the reason I am not seeing it is due to not having security enabled and only the default user. You can try to replicate what I did above on your side to see if it does show a user ID.
Thank you @aaron-nimocks for your prompt response. I do see the "updated_at" info, that is good and now I need to figure out how I can enable security feature to present the username in the doc, any ideas?
Great, thank you! I will check with my DevOps person for the enable audit logging status. Do you have a sample screenshot what kind of user info/format will be presented in the query result for dashboard/visualization?
I was on a call with your DevOps person when you asked. 
No I don't have a screenshot but here are the fields it should capture.
When audit logging is enabled, security events are persisted to a dedicated <clustername>_audit.json file on the host’s file system (on each node).
First I would try to locate that file and see the contents.
Hah~ Cool, this is very helpful, thank! I will check with my DevOps further.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
