kibana/docs/reference/kibana-audit-events.md

navigation_title
Kibana audit events

Kibana audit events

Audit logging is a subscription feature that you can enable to keep track of security-related events, such as authorization success and failures. Logging these events enables you to monitor Kibana for suspicious activity and provides evidence in the event of an attack.

Refer to enabling and configuring audit logs for details on activation and tunning.

Kibana audit events [xpack-security-ecs-audit-logging]

This section describes {{kib}} events that can be logged for auditing purposes.

Each event is broken down into category, type, action, and outcome fields to make it easy to filter, query and aggregate the resulting logs. The trace.id field can be used to correlate multiple events that originate from the same request.

Refer to audit schema for a table of fields logged with audit events.

::::{note} To ensure that a record of every operation is persisted even in case of an unexpected error, asynchronous write operations are logged immediately after all authorization checks have passed, but before the response from {{es}} is received. Refer to the corresponding {{es}} logs for potential write errors. ::::

Category: authentication

Action
user_login
failure
user_logout
session_cleanup
access_agreement_acknowledged

Category: database

Type: creation

Action
saved_object_create
failure
saved_object_open_point_in_time
failure
connector_create
failure
rule_create
failure
ad_hoc_run_create
failure
space_create
failure
case_create
failure
case_configuration_create
failure
case_comment_create
failure
case_comment_bulk_create
failure
case_user_action_create_comment
case_user_action_create_case
ml_put_ad_job
failure
ml_put_ad_datafeed
failure
ml_put_calendar
failure
ml_post_calendar_events
failure
ml_forecast
failure
ml_put_filter
failure
ml_put_dfa_job
failure
ml_put_trained_model
failure
product_documentation_create
knowledge_base_entry_create
failure
knowledge_base_entry_update
failure
knowledge_base_entry_delete
failure

Type: change

Action
saved_object_update
failure
saved_object_update_objects_spaces
failure
saved_object_remove_references
failure
saved_object_collect_multinamespace_references
failure
connector_update
failure
rule_update
failure
rule_update_api_key
failure
rule_enable
failure
rule_disable
failure
rule_mute
failure
rule_unmute
failure
rule_alert_mute
failure
rule_alert_unmute
failure
space_update
failure
alert_update
failure
rule_snooze
failure
rule_unsnooze
failure
case_update
failure
case_push
failure
case_configuration_update
failure
case_comment_update
failure
case_user_action_add_case_assignees
case_user_action_update_case_connector
case_user_action_update_case_description
case_user_action_update_case_settings
case_user_action_update_case_severity
case_user_action_update_case_status
case_user_action_pushed_case
case_user_action_add_case_tags
case_user_action_update_case_title
ml_open_ad_job
failure
ml_close_ad_job
failure
ml_start_ad_datafeed
failure
ml_stop_ad_datafeed
failure
ml_update_ad_job
failure
ml_reset_ad_job
failure
ml_revert_ad_snapshot
failure
ml_update_ad_datafeed
failure
ml_put_calendar_job
failure
ml_delete_calendar_job
failure
ml_update_filter
failure
ml_start_dfa_job
failure
ml_stop_dfa_job
failure
ml_update_dfa_job
failure
ml_start_trained_model_deployment
failure
ml_stop_trained_model_deployment
failure
ml_update_trained_model_deployment
failure
product_documentation_update

Type: deletion

Action
saved_object_delete
failure
saved_object_close_point_in_time
failure
connector_delete
failure
rule_delete
failure
ad_hoc_run_delete
failure
space_delete
failure
case_delete
failure
case_comment_delete_all
failure
case_comment_delete
failure
case_user_action_delete_case_assignees
case_user_action_delete_comment
case_user_action_delete_case
case_user_action_delete_case_tags
ml_delete_ad_job
failure
ml_delete_model_snapshot
failure
ml_delete_ad_datafeed
failure
ml_delete_calendar
failure
ml_delete_calendar_event
failure
ml_delete_filter
failure
ml_delete_forecast
failure
ml_delete_dfa_job
failure
ml_delete_trained_model
failure
product_documentation_delete

Type: access

Action
saved_object_get
failure
saved_object_resolve
failure
saved_object_find
failure
connector_get
failure
connector_find
failure
rule_get
failure
rule_get_execution_log
failure
rule_find
failure
rule_schedule_backfill
failure
ad_hoc_run_get
failure
ad_hoc_run_find
failure
space_get
failure
space_find
failure
alert_get
failure
alert_find
failure
case_get
failure
case_bulk_get
failure
case_resolve
failure
case_find
failure
case_ids_by_alert_id_get
failure
case_get_metrics
failure
cases_get_metrics
failure
case_configuration_find
failure
case_comment_get_metrics
failure
case_comment_alerts_attach_to_case
failure
case_comment_get
failure
case_comment_bulk_get
failure
case_comment_get_all
failure
case_comment_find
failure
case_categories_get
failure
case_tags_get
failure
case_reporters_get
failure
case_find_statuses
failure
case_user_actions_get
failure
case_user_actions_find
failure
case_user_action_get_metrics
failure
case_user_action_get_users
failure
case_connectors_get
failure
ml_infer_trained_model
failure

Category: web

Action
http_request

Audit schema [xpack-security-ecs-audit-schema]

Audit logs are written in JSON using [Elastic Common Schema (ECS)]Elastic Common Schema (ECS)) specification.

Base fields

Field
@timestamp
message

Event fields

Field
event.action
event.category
event.type
event.outcome

User fields

Field
user.id
user.name
user.roles[]

Kibana fields

Field
kibana.space_id
kibana.session_id
kibana.saved_object.type
kibana.saved_object.id
kibana.authentication_provider
kibana.authentication_type
kibana.authentication_realm
kibana.lookup_realm
kibana.add_to_spaces[]
kibana.delete_from_spaces[]

Error fields

Field
error.code
error.message

HTTP and URL fields

Field
client.ip
http.request.method
http.request.headers.x-forwarded-for
url.domain
url.path
url.port
url.query
url.scheme

Tracing fields

Field
trace.id