kibana-audit

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Kibana Audit Logging

Kibana审计日志

Enable and configure audit logging for Kibana via

kibana.yml

. Kibana audit logs cover application-layer security events that Elasticsearch does not see: saved object CRUD (dashboards, visualizations, index patterns, rules, cases), login/logout, session expiry, space operations, and Kibana-level RBAC enforcement.

For Elasticsearch audit logging (authentication failures, access grants/denials, security config changes), see elasticsearch-audit. For authentication and API key management, see elasticsearch-authn. For roles and user management, see elasticsearch-authz.

For detailed event types, schema, and correlation queries, see references/api-reference.md.

Deployment note: Kibana audit configuration differs across deployment types. See Deployment Compatibility for details.

通过

kibana.yml

启用并配置Kibana审计日志。Kibana审计日志覆盖Elasticsearch无法监控的应用层安全事件：已保存对象的CRUD操作（仪表板、可视化图表、索引模式、规则、案例）、登录/登出、会话过期、空间操作以及Kibana级别的RBAC权限管控。

关于Elasticsearch审计日志（认证失败、访问授权/拒绝、安全配置变更），请查看elasticsearch-audit。关于认证和API密钥管理，请查看elasticsearch-authn。关于角色和用户管理，请查看elasticsearch-authz。

如需详细的事件类型、schema和关联查询，请参阅references/api-reference.md。

部署说明： 不同部署类型下的Kibana审计配置有所不同。详情请查看部署兼容性。

Jobs to Be Done

适用场景

Enable or disable Kibana audit logging
Configure audit log output (rolling file, console)
Filter out noisy events (e.g.
```
saved_object_find
```
)
Investigate saved object access or deletion events
Track Kibana login/logout and session activity
Monitor space creation, modification, and deletion
Correlate Kibana audit events with Elasticsearch audit logs via
```
trace.id
```
Ship Kibana audit logs to Elasticsearch for unified querying

启用或禁用Kibana审计日志
配置审计日志输出（滚动文件、控制台）
过滤冗余事件（如
```
saved_object_find
```
）
调查已保存对象的访问或删除事件
跟踪Kibana登录/登出及会话活动
监控空间的创建、修改和删除操作
通过
```
trace.id
```
关联Kibana与Elasticsearch审计日志
将Kibana审计日志发送至Elasticsearch以实现统一查询

Prerequisites

前提条件

Item	Description
Kibana access	Filesystem access to `kibana.yml` (self-managed) or Cloud console access (ECH)
License	Audit logging requires a gold, platinum, enterprise, or trial license
Elasticsearch URL	Cluster endpoint for correlation queries against `.security-audit-*`

Prompt the user for any missing values.

项目	说明
Kibana访问权限	拥有 `kibana.yml` 的文件系统访问权限（自管部署）或Cloud控制台访问权限（ECH）
许可证	审计日志功能需要gold、platinum、enterprise或试用版许可证
Elasticsearch地址	用于关联查询 `.security-audit-*` 索引的集群端点

若有缺失信息，请提示用户补充。

Enable Kibana Audit Logging

启用Kibana审计日志

Kibana audit is configured statically in

kibana.yml

(not via API). A Kibana restart is required after changes.

yaml

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /path/to/kibana/data/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

To disable, set

xpack.security.audit.enabled

false

and restart Kibana.

Kibana审计需在

kibana.yml

中静态配置（无法通过API配置）。修改配置后需要重启Kibana。

yaml

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /path/to/kibana/data/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

若要禁用，将

xpack.security.audit.enabled

设置为

false

并重启Kibana。

Appender types

输出器类型

Type	Description
`rolling-file`	Writes to a file with rotation policy. Recommended.
`console`	Writes to stdout. Useful for containerized deployments.

类型	说明
`rolling-file`	写入文件并应用轮转策略，推荐使用。
`console`	写入标准输出，适用于容器化部署。

Event Types

事件类型

Kibana audit events use ECS format with the same core fields as ES audit (

event.action

event.outcome

user.name

trace.id

@timestamp

) plus Kibana-specific fields like

kibana.saved_object.type

kibana.saved_object.id

, and

kibana.space_id

Key event actions:

Event action	Description	Category
`saved_object_create`	A saved object was created	database
`saved_object_get`	A saved object was read	database
`saved_object_update`	A saved object was updated	database
`saved_object_delete`	A saved object was deleted	database
`saved_object_find`	A saved object search was performed	database
`saved_object_open_point_in_time`	A PIT was opened on saved objects	database
`saved_object_close_point_in_time`	A PIT was closed on saved objects	database
`saved_object_resolve`	A saved object was resolved (alias redirect)	database
`login`	A user logged in (success or failure)	authentication
`logout`	A user logged out	authentication
`session_cleanup`	An expired session was cleaned up	authentication
`access_agreement_acknowledged`	A user accepted the access agreement	authentication
`space_create`	A Kibana space was created	web
`space_update`	A Kibana space was updated	web
`space_delete`	A Kibana space was deleted	web
`space_get`	A Kibana space was retrieved	web

See references/api-reference.md for the complete event schema.

Kibana审计事件采用ECS格式，包含与ES审计相同的核心字段（

event.action

、

event.outcome

、

user.name

、

trace.id

、

@timestamp

），以及Kibana专属字段如

kibana.saved_object.type

、

kibana.saved_object.id

和

kibana.space_id

。

关键事件动作：

事件动作	说明	分类
`saved_object_create`	已保存对象被创建	数据库
`saved_object_get`	已保存对象被读取	数据库
`saved_object_update`	已保存对象被更新	数据库
`saved_object_delete`	已保存对象被删除	数据库
`saved_object_find`	执行了已保存对象搜索操作	数据库
`saved_object_open_point_in_time`	在已保存对象上开启了PIT	数据库
`saved_object_close_point_in_time`	在已保存对象上关闭了PIT	数据库
`saved_object_resolve`	已保存对象被解析（别名重定向）	数据库
`login`	用户登录（成功或失败）	身份验证
`logout`	用户登出	身份验证
`session_cleanup`	过期会话被清理	身份验证
`access_agreement_acknowledged`	用户接受了访问协议	身份验证
`space_create`	Kibana空间被创建	Web操作
`space_update`	Kibana空间被更新	Web操作
`space_delete`	Kibana空间被删除	Web操作
`space_get`	Kibana空间被获取	Web操作

完整的事件schema请参阅references/api-reference.md。

Filter Policies

过滤策略

Suppress noisy events using

ignore_filters

kibana.yml

yaml

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

Filter field	Type	Description
`actions`	list	Event actions to ignore
`categories`	list	Event categories to ignore

An event is filtered out if it matches all specified fields within a single filter entry.

在

kibana.yml

中使用

ignore_filters

抑制冗余事件：

yaml

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

过滤字段	类型	说明
`actions`	列表	需要忽略的事件动作
`categories`	列表	需要忽略的事件分类

当事件与单个过滤条目中的所有指定字段匹配时，该事件将被过滤。

Correlate with Elasticsearch Audit Logs

与Elasticsearch审计日志关联

When Kibana makes requests to Elasticsearch on behalf of a user, both systems record the same

trace.id

(passed via the

X-Opaque-Id

header). This is the primary key for correlating events across the two audit logs.

Prerequisite: Elasticsearch audit must be enabled via the cluster settings API. See the elasticsearch-audit skill for setup instructions, event types, and ES-specific filter policies.

当Kibana代表用户向Elasticsearch发起请求时，两个系统会记录相同的

trace.id

（通过

X-Opaque-Id

头传递）。这是跨两个审计日志关联事件的主键。

前提条件： 需通过集群设置API启用Elasticsearch审计日志。请查看elasticsearch-audit技能了解设置说明、事件类型及ES专属过滤策略。

Correlation workflow

关联流程

Find the suspicious event in the Kibana audit log.
Extract its
```
trace.id
```
value.
Search the ES audit index (
```
.security-audit-*
```
) for all events with the same
```
trace.id
```
.
Review the combined timeline to understand what ES-level operations the Kibana action triggered.

The elasticsearch-audit skill also documents this workflow from the ES side — use it when starting from an ES audit event and looking for the originating Kibana action.

在Kibana审计日志中找到可疑事件。
提取其
```
trace.id
```
值。
在ES审计索引（
```
.security-audit-*
```
）中搜索所有包含该
```
trace.id
```
的事件。
查看合并后的时间线，了解Kibana动作触发的所有ES级操作。

elasticsearch-audit技能也从ES侧记录了此流程——当从ES审计事件入手并查找对应的Kibana触发动作时，可以使用该技能。

Search ES audit by trace ID

通过Trace ID搜索ES审计日志

Given a suspicious Kibana event (e.g. a saved object deletion), extract its

trace.id

and search the ES audit index:

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

Secondary correlation fields:

user.name

source.ip

, and

@timestamp

(time-window joins).

若发现可疑的Kibana事件（如已保存对象被删除），提取其

trace.id

并搜索ES审计索引：

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

次要关联字段：

user.name

、

source.ip

和

@timestamp

（时间窗口关联）。

Ship Kibana audit logs to Elasticsearch

将Kibana审计日志发送至Elasticsearch

To query Kibana audit events alongside ES audit events, ship the Kibana audit log file to an Elasticsearch index using Filebeat:

yaml

filebeat.inputs:
  - type: log
    paths: ["/path/to/kibana/data/audit.log"]
    json.keys_under_root: true
    json.add_error_key: true

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "kibana-audit-%{+yyyy.MM.dd}"

Once indexed, both

.security-audit-*

(ES) and

kibana-audit-*

(Kibana) can be searched together using a multi-index query filtered by

trace.id

若要在同一界面查询Kibana与ES审计事件，可通过Filebeat将Kibana审计日志文件发送至Elasticsearch索引：

yaml

filebeat.inputs:
  - type: log
    paths: ["/path/to/kibana/data/audit.log"]
    json.keys_under_root: true
    json.add_error_key: true

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "kibana-audit-%{+yyyy.MM.dd}"

完成索引后，可通过多索引查询同时搜索

.security-audit-*

（ES）和

kibana-audit-*

（Kibana），并通过

trace.id

过滤。

Examples

示例

Enable Kibana audit for compliance

为合规需求启用Kibana审计

Request: "Enable Kibana audit logging and keep 10 rotated log files."

yaml

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /var/log/kibana/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

Restart Kibana after applying.

需求： "启用Kibana审计日志并保留10个轮转日志文件。"

yaml

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /var/log/kibana/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

应用配置后重启Kibana。

Investigate a deleted dashboard

调查被删除的仪表板

Request: "Someone deleted a dashboard. Check the Kibana audit log."

Search the Kibana audit log (or the indexed

kibana-audit-*

data) for

saved_object_delete

events with

kibana.saved_object.type: dashboard

. Extract the

trace.id

and cross-reference with the ES audit index to see the underlying Elasticsearch operations.

需求： "有人删除了一个仪表板，请检查Kibana审计日志。"

在Kibana审计日志（或已索引的

kibana-audit-*

数据）中搜索

saved_object_delete

事件，且

kibana.saved_object.type: dashboard

。提取

trace.id

并与ES审计索引交叉比对，查看底层的Elasticsearch操作。

Reduce audit noise from saved object searches

减少已保存对象搜索产生的审计日志冗余

Request: "Kibana audit logs are too large because of constant saved_object_find events."

yaml

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

This suppresses high-volume read operations while preserving create, update, and delete events.

需求： "Kibana审计日志过大，因为频繁产生

saved_object_find

事件。"

yaml

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

此配置会抑制高频率的读取操作，同时保留创建、更新和删除事件。

Guidelines

指导原则

Always enable alongside Elasticsearch audit

始终与Elasticsearch审计日志同时启用

For full coverage, enable audit in both

kibana.yml

and Elasticsearch. Without Kibana audit, saved object access and Kibana login events are invisible. Without ES audit, cluster-level operations are invisible. See the elasticsearch-audit skill for ES-side setup.

为实现全面覆盖，请同时在

kibana.yml

和Elasticsearch中启用审计功能。若未启用Kibana审计，已保存对象访问和Kibana登录事件将无法被监控；若未启用ES审计，集群级操作将无法被监控。请查看elasticsearch-audit技能了解ES侧的设置方法。

Use trace.id for correlation

使用trace.id进行关联

When investigating a Kibana event, always extract

trace.id

and search the ES audit index (

.security-audit-*

). This reveals the full chain of operations triggered by a single Kibana action. See Correlate with Elasticsearch Audit Logs above for queries.

调查Kibana事件时，务必提取

trace.id

并搜索ES审计索引（

.security-audit-*

）。这将揭示单个Kibana动作触发的完整操作链。关联查询请参阅上方与Elasticsearch审计日志关联部分。

Filter noisy read events

过滤冗余的读取事件

saved_object_find

generates very high volume on busy Kibana instances. Suppress it unless you specifically need to audit read access.

在繁忙的Kibana实例中，

saved_object_find

事件的产生量极大。除非专门需要审计读取访问，否则请抑制该事件。

Ship logs to Elasticsearch for unified querying

将日志发送至Elasticsearch以实现统一查询

Kibana audit logs are written to files by default. Ship them to Elasticsearch via Filebeat for programmatic querying alongside ES audit events.

Kibana审计日志默认写入文件。请通过Filebeat将其发送至Elasticsearch，以便与ES审计事件一同进行程序化查询。

Rotate and retain appropriately

合理配置日志轮转与保留

Configure rolling-file rotation to avoid filling the disk. A 30-90 day retention is typical for compliance.

配置滚动文件轮转策略以避免磁盘被占满。合规场景下通常保留30-90天的日志。

Deployment Compatibility

部署兼容性

Capability	Self-managed	ECH	Serverless
Kibana audit ( `kibana.yml` )	Yes	Via Cloud UI	Not available
Rolling-file appender	Yes	Via Cloud UI	Not available
Console appender	Yes	Yes	Not available
Ignore filters	Yes	Via Cloud UI	Not available
Correlate via `trace.id`	Yes	Yes	Not available
Ship to ES via Filebeat	Yes	Yes	Not available

ECH notes: Kibana audit is enabled via the deployment edit page in the Cloud console. Log files are accessible through the Cloud console deployment logs.

Serverless notes:

Kibana audit logging is not user-configurable on Serverless. Security events are managed by Elastic as part of the platform.
If a user asks about Kibana auditing on Serverless, direct them to the Elastic Cloud console or their account team.

功能	自管部署	ECH	无服务器部署
Kibana审计（ `kibana.yml` ）	支持	通过Cloud UI支持	不支持
滚动文件输出器	支持	通过Cloud UI支持	不支持
控制台输出器	支持	支持	不支持
忽略过滤器	支持	通过Cloud UI支持	不支持
通过 `trace.id` 关联	支持	支持	不支持
通过Filebeat发送至ES	支持	支持	不支持

ECH说明： Kibana审计需通过Cloud控制台的部署编辑页面启用。日志文件可通过Cloud控制台的部署日志功能访问。

无服务器部署说明：

无服务器部署下的Kibana审计日志无法由用户配置。安全事件由Elastic作为平台的一部分进行管理。
若用户询问无服务器部署下的Kibana审计，请引导其查看Elastic Cloud控制台或联系客户团队。