maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/user/security/audit-logging.asciidoc
Thom Heymann e65c533d10
Add audit events for spaces (#86343) 
* Add audit events for spaces

* fix eslint error
2020-12-18 15:29:35 +00:00

232 lines
7.5 KiB
Text
Raw Blame History

[role="xpack"]
[[xpack-security-audit-logging]]
=== Audit logs
You can enable auditing to keep track of security-related events such as
authorization success and failures. Logging these events enables you to monitor
{kib} for suspicious activity and provides evidence in the event of an attack.
Use the {kib} audit logs in conjunction with {ref}/enable-audit-logging.html[{es} audit logging] to get a
holistic view of all security related events. {kib} defers to the {es} security
model for authentication, data index authorization, and features that are driven
by cluster-wide privileges. For more information on enabling audit logging in
{es}, refer to {ref}/auditing.html[Auditing security events].
[IMPORTANT]
============================================================================
Audit logs are **disabled** by default. To enable this functionality, you must
set `xpack.security.audit.enabled` to `true` in `kibana.yml`.
============================================================================
The current version of the audit logger uses the standard {kib} logging output,
which can be configured in `kibana.yml`. For more information, refer to <<settings>>.
The audit logger uses a separate logger and can be configured using
the options in <<audit-logging-settings>>.
==== Audit event types
When you are auditing security events, each request can generate multiple audit
events. The following is a list of the events that can be generated:
|======
| `saved_objects_authorization_success` | Logged when a user is authorized to access a saved
objects when using a role with <<kibana-privileges>>
| `saved_objects_authorization_failure` | Logged when a user isn't authorized to access a saved
objects when using a role with <<kibana-privileges>>
|======
[[xpack-security-ecs-audit-logging]]
==== ECS audit events
[IMPORTANT]
============================================================================
The following events are only logged if the ECS audit logger is enabled.
For information on how to configure `xpack.security.audit.appender`, refer to
<<ecs-audit-logging-settings>>.
============================================================================
Refer to the table of events that can be logged for auditing purposes.
Each event is broken down into `category`, `type`, `action` and `outcome` fields
to make it easy to filter, query and aggregate the resulting logs.
[NOTE]
============================================================================
To ensure that a record of every operation is persisted even in case of an
unexpected error, asynchronous write operations are logged immediately after all
authorization checks have passed, but before the response from {es} is received.
Refer to the corresponding {es} logs for potential write errors.
============================================================================
[cols="3*<"]
|======
3+a|
===== Category: authentication
| *Action*
| *Outcome*
| *Description*
.2+| `user_login`
| `success` | User has logged in successfully.
| `failure` | Failed login attempt (e.g. due to invalid credentials).
3+a|
===== Category: database
====== Type: creation
| *Action*
| *Outcome*
| *Description*
.2+| `saved_object_create`
| `unknown` | User is creating a saved object.
| `failure` | User is not authorized to create a saved object.
.2+| `connector_create`
| `unknown` | User is creating a connector.
| `failure` | User is not authorized to create a connector.
.2+| `alert_create`
| `unknown` | User is creating an alert.
| `failure` | User is not authorized to create an alert.
.2+| `space_create`
| `unknown` | User is creating a space.
| `failure` | User is not authorized to create a space.
3+a|
====== Type: change
| *Action*
| *Outcome*
| *Description*
.2+| `saved_object_update`
| `unknown` | User is updating a saved object.
| `failure` | User is not authorized to update a saved object.
.2+| `saved_object_add_to_spaces`
| `unknown` | User is adding a saved object to other spaces.
| `failure` | User is not authorized to add a saved object to other spaces.
.2+| `saved_object_delete_from_spaces`
| `unknown` | User is removing a saved object from other spaces.
| `failure` | User is not authorized to remove a saved object from other spaces.
.2+| `saved_object_remove_references`
| `unknown` | User is removing references to a saved object.
| `failure` | User is not authorized to remove references to a saved object.
.2+| `connector_update`
| `unknown` | User is updating a connector.
| `failure` | User is not authorized to update a connector.
.2+| `alert_update`
| `unknown` | User is updating an alert.
| `failure` | User is not authorized to update an alert.
.2+| `alert_update_api_key`
| `unknown` | User is updating the API key of an alert.
| `failure` | User is not authorized to update the API key of an alert.
.2+| `alert_enable`
| `unknown` | User is enabling an alert.
| `failure` | User is not authorized to enable an alert.
.2+| `alert_disable`
| `unknown` | User is disabling an alert.
| `failure` | User is not authorized to disable an alert.
.2+| `alert_mute`
| `unknown` | User is muting an alert.
| `failure` | User is not authorized to mute an alert.
.2+| `alert_unmute`
| `unknown` | User is unmuting an alert.
| `failure` | User is not authorized to unmute an alert.
.2+| `alert_instance_mute`
| `unknown` | User is muting an alert instance.
| `failure` | User is not authorized to mute an alert instance.
.2+| `alert_instance_unmute`
| `unknown` | User is unmuting an alert instance.
| `failure` | User is not authorized to unmute an alert instance.
.2+| `space_update`
| `unknown` | User is updating a space.
| `failure` | User is not authorized to update a space.
3+a|
====== Type: deletion
| *Action*
| *Outcome*
| *Description*
.2+| `saved_object_delete`
| `unknown` | User is deleting a saved object.
| `failure` | User is not authorized to delete a saved object.
.2+| `connector_delete`
| `unknown` | User is deleting a connector.
| `failure` | User is not authorized to delete a connector.
.2+| `alert_delete`
| `unknown` | User is deleting an alert.
| `failure` | User is not authorized to delete an alert.
.2+| `space_delete`
| `unknown` | User is deleting a space.
| `failure` | User is not authorized to delete a space.
3+a|
====== Type: access
| *Action*
| *Outcome*
| *Description*
.2+| `saved_object_get`
| `success` | User has accessed a saved object.
| `failure` | User is not authorized to access a saved object.
.2+| `saved_object_find`
| `success` | User has accessed a saved object as part of a search operation.
| `failure` | User is not authorized to search for saved objects.
.2+| `connector_get`
| `success` | User has accessed a connector.
| `failure` | User is not authorized to access a connector.
.2+| `connector_find`
| `success` | User has accessed a connector as part of a search operation.
| `failure` | User is not authorized to search for connectors.
.2+| `alert_get`
| `success` | User has accessed an alert.
| `failure` | User is not authorized to access an alert.
.2+| `alert_find`
| `success` | User has accessed an alert as part of a search operation.
| `failure` | User is not authorized to search for alerts.
.2+| `space_get`
| `success` | User has accessed a space.
| `failure` | User is not authorized to access a space.
.2+| `space_find`
| `success` | User has accessed a space as part of a search operation.
| `failure` | User is not authorized to search for spaces.
3+a|
===== Category: web
| *Action*
| *Outcome*
| *Description*
| `http_request`
| `unknown` | User is making an HTTP request.
|======
Reference in a new issue View git blame Copy permalink