SKILL.md
$27
- Enable or disable Kibana audit logging
- Configure audit log output (rolling file, console)
- Filter out noisy events (e.g.
saved_object_find)
- Investigate saved object access or deletion events
- Track Kibana login/logout and session activity
- Monitor space creation, modification, and deletion
- Correlate Kibana audit events with Elasticsearch audit logs via
trace.id
- Ship Kibana audit logs to Elasticsearch for unified querying
Prerequisites
Item
Description
Kibana access
Filesystem access to kibana.yml (self-managed) or Cloud console access (ECH)
License
Audit logging requires a gold, platinum, enterprise, or trial license
Elasticsearch URL
Cluster endpoint for correlation queries against .security-audit-*
Prompt the user for any missing values.
Enable Kibana Audit Logging
Kibana audit is configured statically in kibana.yml (not via API). A Kibana restart is required after changes.
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: /path/to/kibana/data/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10To disable, set xpack.security.audit.enabled to false and restart Kibana.
Appender types
Type
Description
rolling-file
Writes to a file with rotation policy. Recommended.
console
Writes to stdout. Useful for containerized deployments.
Event Types
Kibana audit events use ECS format with the same core fields as ES audit (event.action, event.outcome, user.name,
trace.id, @timestamp) plus Kibana-specific fields like kibana.saved_object.type, kibana.saved_object.id, and
kibana.space_id.
Key event actions:
Event action
Description
Category
saved_object_create
A saved object was created
database
saved_object_get
A saved object was read
database
saved_object_update
A saved object was updated
database
saved_object_delete
A saved object was deleted
database
saved_object_find
A saved object search was performed
database
saved_object_open_point_in_time
A PIT was opened on saved objects
database
saved_object_close_point_in_time
A PIT was closed on saved objects
database
saved_object_resolve
A saved object was resolved (alias redirect)
database
login
A user logged in (success or failure)
authentication
logout
A user logged out
authentication
session_cleanup
An expired session was cleaned up
authentication
access_agreement_acknowledged
A user accepted the access agreement
authentication
space_create
A Kibana space was created
web
space_update
A Kibana space was updated
web
space_delete
A Kibana space was deleted
web
space_get
A Kibana space was retrieved
web
See references/api-reference.md for the complete event schema.
Filter Policies
Suppress noisy events using ignore_filters in kibana.yml:
xpack.security.audit.ignore_filters:
- actions: [saved_object_find]
categories: [database]Filter field
Type
Description
actions
list
Event actions to ignore
categories
list
Event categories to ignore
An event is filtered out if it matches all specified fields within a single filter entry.
Correlate with Elasticsearch Audit Logs
When Kibana makes requests to Elasticsearch on behalf of a user, both systems record the same trace.id (passed via the
X-Opaque-Id header). This is the primary key for correlating events across the two audit logs.
Prerequisite: Elasticsearch audit must be enabled via the cluster settings API. See the elasticsearch-audit
skill for setup instructions, event types, and ES-specific filter policies.
Correlation workflow
- Find the suspicious event in the Kibana audit log.
- Extract its
trace.idvalue.
- Search the ES audit index (
.security-audit-*) for all events with the sametrace.id.
- Review the combined timeline to understand what ES-level operations the Kibana action triggered.
The elasticsearch-audit skill also documents this workflow from the ES side — use it when starting from an ES audit
event and looking for the originating Kibana action.
Search ES audit by trace ID
Given a suspicious Kibana event (e.g. a saved object deletion), extract its trace.id and search the ES audit index:
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "trace.id": "'"${TRACE_ID}"'" } },
{ "range": { "@timestamp": { "gte": "now-24h" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "asc" } }]
}'Secondary correlation fields: user.name, source.ip, and @timestamp (time-window joins).
Ship Kibana audit logs to Elasticsearch
To query Kibana audit events alongside ES audit events, ship the Kibana audit log file to an Elasticsearch index using
Filebeat:
filebeat.inputs:
- type: log
paths: ["/path/to/kibana/data/audit.log"]
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["https://localhost:9200"]
index: "kibana-audit-%{+yyyy.MM.dd}"Once indexed, both .security-audit-* (ES) and kibana-audit-* (Kibana) can be searched together using a multi-index
query filtered by trace.id.
Examples
Enable Kibana audit for compliance
Request: "Enable Kibana audit logging and keep 10 rotated log files."
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: /var/log/kibana/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10Restart Kibana after applying.
Investigate a deleted dashboard
Request: "Someone deleted a dashboard. Check the Kibana audit log."
Search the Kibana audit log (or the indexed kibana-audit-* data) for saved_object_delete events with
kibana.saved_object.type: dashboard. Extract the trace.id and cross-reference with the ES audit index to see the
underlying Elasticsearch operations.
Reduce audit noise from saved object searches
Request: "Kibana audit logs are too large because of constant saved_object_find events."
xpack.security.audit.ignore_filters:
- actions: [saved_object_find]
categories: [database]This suppresses high-volume read operations while preserving create, update, and delete events.
Guidelines
Always enable alongside Elasticsearch audit
For full coverage, enable audit in both kibana.yml and Elasticsearch. Without Kibana audit, saved object access and
Kibana login events are invisible. Without ES audit, cluster-level operations are invisible. See the
elasticsearch-audit skill for ES-side setup.
Use trace.id for correlation
When investigating a Kibana event, always extract trace.id and search the ES audit index (.security-audit-*). This
reveals the full chain of operations triggered by a single Kibana action. See
[Correlate with Elasticsearch Audit Logs](#correlate-with-elasticsearch-audit-logs) above for queries.
Filter noisy read events
saved_object_find generates very high volume on busy Kibana instances. Suppress it unless you specifically need to
audit read access.
Ship logs to Elasticsearch for unified querying
Kibana audit logs are written to files by default. Ship them to Elasticsearch via Filebeat for programmatic querying
alongside ES audit events.
Rotate and retain appropriately
Configure rolling-file rotation to avoid filling the disk. A 30-90 day retention is typical for compliance.
Deployment Compatibility
Capability
Self-managed
ECH
Serverless
Kibana audit (kibana.yml)
Yes
Via Cloud UI
Not available
Rolling-file appender
Yes
Via Cloud UI
Not available
Console appender
Yes
Yes
Not available
Ignore filters
Yes
Via Cloud UI
Not available
Correlate via trace.id
Yes
Yes
Not available
Ship to ES via Filebeat
Yes
Yes
Not available
ECH notes: Kibana audit is enabled via the deployment edit page in the Cloud console. Log files are accessible
through the Cloud console deployment logs.
Serverless notes:
- Kibana audit logging is not user-configurable on Serverless. Security events are managed by Elastic as part of the
platform.
- If a user asks about Kibana auditing on Serverless, direct them to the Elastic Cloud console or their account team.