Kibana 审计日志配置指南：启用、过滤与关联 Elasticsearch 安全事件

kibana-audit by elastic/agent-skills

220 周安装量

306 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/elastic/agent-skills --skill kibana-audit

数据分析监控安全

🇨🇳中文介绍

Kibana 审计日志

通过 kibana.yml 启用和配置 Kibana 的审计日志。Kibana 审计日志涵盖了 Elasticsearch 无法看到的应用程序层安全事件：已保存对象的增删改查（仪表板、可视化、索引模式、规则、案例）、登录/登出、会话过期、空间操作以及 Kibana 级别的 RBAC 强制执行。

关于 Elasticsearch 审计日志（认证失败、访问授权/拒绝、安全配置更改），请参阅 elasticsearch-audit。关于认证和 API 密钥管理，请参阅 elasticsearch-authn。关于角色和用户管理，请参阅 elasticsearch-authz。

关于详细的事件类型、模式和关联查询，请参阅 references/api-reference.md。

部署说明： Kibana 审计配置因部署类型而异。详情请参阅部署兼容性部分。

待完成的任务

启用或禁用 Kibana 审计日志
配置审计日志输出（滚动文件、控制台）
过滤掉嘈杂的事件（例如 saved_object_find）
调查已保存对象的访问或删除事件
跟踪 Kibana 登录/登出和会话活动
监控空间的创建、修改和删除
通过 trace.id 将 Kibana 审计事件与 Elasticsearch 审计日志关联起来
将 Kibana 审计日志发送到 Elasticsearch 以进行统一查询

先决条件

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

启用 Kibana 审计日志

Kibana 审计在 kibana.yml 中静态配置（非通过 API）。更改后需要重启 Kibana。

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /path/to/kibana/data/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

要禁用，请将 xpack.security.audit.enabled 设置为 false 并重启 Kibana。

类型	描述
`rolling-file`	写入到具有轮转策略的文件。推荐使用。
`console`	写入到标准输出。适用于容器化部署。

Kibana 审计事件使用 ECS 格式，具有与 ES 审计相同的核心字段（event.action、event.outcome、user.name、trace.id、@timestamp），外加 Kibana 特定字段，如 kibana.saved_object.type、kibana.saved_object.id 和 kibana.space_id。

关键事件操作：

事件操作	描述	类别
`saved_object_create`	已保存对象被创建	database
`saved_object_get`	已保存对象被读取	database
`saved_object_update`	已保存对象被更新	database
`saved_object_delete`	已保存对象被删除	database
`saved_object_find`	执行了已保存对象搜索	database
`saved_object_open_point_in_time`	在已保存对象上打开了 PIT	database
`saved_object_close_point_in_time`	在已保存对象上关闭了 PIT	database
`saved_object_resolve`	已保存对象被解析（别名重定向）	database
`login`	用户登录（成功或失败）	authentication
`logout`	用户登出	authentication
`session_cleanup`	过期的会话被清理	authentication
`access_agreement_acknowledged`	用户接受了访问协议	authentication
`space_create`	Kibana 空间被创建	web
`space_update`	Kibana 空间被更新	web
`space_delete`	Kibana 空间被删除	web
`space_get`	Kibana 空间被检索	web

完整的事件模式请参阅 references/api-reference.md。

使用 kibana.yml 中的 ignore_filters 来抑制嘈杂事件：

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

过滤字段	类型	描述
`actions`	list	要忽略的事件操作
`categories`	list	要忽略的事件类别

如果一个事件匹配单个过滤条目内所有指定的字段，则会被过滤掉。

与 Elasticsearch 审计日志关联

当 Kibana 代表用户向 Elasticsearch 发出请求时，两个系统都会记录相同的 trace.id（通过 X-Opaque-Id 标头传递）。这是关联两个审计日志中事件的主键。

先决条件： 必须通过集群设置 API 启用 Elasticsearch 审计。有关设置说明、事件类型和 ES 特定过滤策略，请参阅 elasticsearch-audit 技能。

在 Kibana 审计日志中找到可疑事件。
提取其 trace.id 值。
在 ES 审计索引（.security-audit-*）中搜索所有具有相同 trace.id 的事件。
查看合并的时间线，以了解 Kibana 操作触发了哪些 ES 级别的操作。

elasticsearch-audit 技能也从 ES 端记录了此工作流程——当从 ES 审计事件开始并寻找原始的 Kibana 操作时，请使用它。

通过 trace ID 搜索 ES 审计

给定一个可疑的 Kibana 事件（例如，已保存对象删除），提取其 trace.id 并搜索 ES 审计索引：

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

次要关联字段：user.name、source.ip 和 @timestamp（时间窗口连接）。

将 Kibana 审计日志发送到 Elasticsearch

为了将 Kibana 审计事件与 ES 审计事件一起查询，请使用 Filebeat 将 Kibana 审计日志文件发送到 Elasticsearch 索引：

filebeat.inputs:
  - type: log
    paths: ["/path/to/kibana/data/audit.log"]
    json.keys_under_root: true
    json.add_error_key: true

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "kibana-audit-%{+yyyy.MM.dd}"

一旦索引完成，就可以使用按 trace.id 过滤的多索引查询，同时搜索 .security-audit-*（ES）和 kibana-audit-*（Kibana）。

为合规性启用 Kibana 审计

请求： "启用 Kibana 审计日志并保留 10 个轮转的日志文件。"

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /var/log/kibana/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

应用后重启 Kibana。

调查被删除的仪表板

请求： "有人删除了一个仪表板。检查 Kibana 审计日志。"

在 Kibana 审计日志（或已索引的 kibana-audit-* 数据）中搜索 kibana.saved_object.type: dashboard 的 saved_object_delete 事件。提取 trace.id 并与 ES 审计索引交叉引用，以查看底层的 Elasticsearch 操作。

减少来自已保存对象搜索的审计噪音

请求： "由于持续的 saved_object_find 事件，Kibana 审计日志太大。"

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

这抑制了高流量的读取操作，同时保留了创建、更新和删除事件。

始终与 Elasticsearch 审计一起启用

为了全面覆盖，请在 kibana.yml 和 Elasticsearch 中都启用审计。没有 Kibana 审计，已保存对象的访问和 Kibana 登录事件将不可见。没有 ES 审计，集群级别的操作将不可见。有关 ES 端设置，请参阅 elasticsearch-audit 技能。

使用 trace.id 进行关联

在调查 Kibana 事件时，始终提取 trace.id 并搜索 ES 审计索引（.security-audit-*）。这揭示了单个 Kibana 操作触发的完整操作链。有关查询，请参阅上面的“与 Elasticsearch 审计日志关联”部分。

过滤嘈杂的读取事件

saved_object_find 在繁忙的 Kibana 实例上会产生非常高的流量。除非您特别需要审计读取访问，否则请抑制它。

将日志发送到 Elasticsearch 以进行统一查询

Kibana 审计日志默认写入文件。通过 Filebeat 将它们发送到 Elasticsearch，以便与 ES 审计事件一起进行程序化查询。

适当轮转和保留

配置滚动文件轮转以避免磁盘空间不足。合规性通常需要 30-90 天的保留期。

功能	自托管	ECH	Serverless
Kibana 审计 (`kibana.yml`)	是	通过 Cloud UI	不可用
滚动文件追加器	是	通过 Cloud UI	不可用
控制台追加器	是	是	不可用
忽略过滤器	是	通过 Cloud UI	不可用
通过 `trace.id` 关联	是	是	不可用
通过 Filebeat 发送到 ES	是	是	不可用

ECH 说明： Kibana 审计通过 Cloud 控制台中的部署编辑页面启用。日志文件可通过 Cloud 控制台部署日志访问。

Serverless 说明：

在 Serverless 上，Kibana 审计日志不可由用户配置。安全事件由 Elastic 作为平台的一部分进行管理。
如果用户询问 Serverless 上的 Kibana 审计，请引导他们到 Elastic Cloud 控制台或他们的客户团队。

🇺🇸English

Kibana Audit Logging

Enable and configure audit logging for Kibana via kibana.yml. Kibana audit logs cover application-layer security events that Elasticsearch does not see: saved object CRUD (dashboards, visualizations, index patterns, rules, cases), login/logout, session expiry, space operations, and Kibana-level RBAC enforcement.

For Elasticsearch audit logging (authentication failures, access grants/denials, security config changes), see elasticsearch-audit. For authentication and API key management, see elasticsearch-authn. For roles and user management, see elasticsearch-authz.

For detailed event types, schema, and correlation queries, see references/api-reference.md.

Deployment note: Kibana audit configuration differs across deployment types. See Deployment Compatibility for details.

Jobs to Be Done

Enable or disable Kibana audit logging
Configure audit log output (rolling file, console)
Filter out noisy events (e.g. saved_object_find)
Investigate saved object access or deletion events
Track Kibana login/logout and session activity
Monitor space creation, modification, and deletion
Correlate Kibana audit events with Elasticsearch audit logs via trace.id
Ship Kibana audit logs to Elasticsearch for unified querying

Prerequisites

Item	Description
Kibana access	Filesystem access to `kibana.yml` (self-managed) or Cloud console access (ECH)
License	Audit logging requires a gold, platinum, enterprise, or trial license
Elasticsearch URL	Cluster endpoint for correlation queries against `.security-audit-*`

Prompt the user for any missing values.

Enable Kibana Audit Logging

Kibana audit is configured statically in kibana.yml (not via API). A Kibana restart is required after changes.

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /path/to/kibana/data/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

To disable, set xpack.security.audit.enabled to false and restart Kibana.

Appender types

Type	Description
`rolling-file`	Writes to a file with rotation policy. Recommended.
`console`	Writes to stdout. Useful for containerized deployments.

Event Types

Kibana audit events use ECS format with the same core fields as ES audit (event.action, event.outcome, user.name, trace.id, @timestamp) plus Kibana-specific fields like kibana.saved_object.type, kibana.saved_object.id, and kibana.space_id.

Key event actions:

Event action	Description	Category
`saved_object_create`	A saved object was created	database
`saved_object_get`	A saved object was read	database
`saved_object_update`	A saved object was updated	database
`saved_object_delete`	A saved object was deleted	database
`saved_object_find`	A saved object search was performed

See references/api-reference.md for the complete event schema.

Filter Policies

Suppress noisy events using ignore_filters in kibana.yml:

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

Filter field	Type	Description
`actions`	list	Event actions to ignore
`categories`	list	Event categories to ignore

An event is filtered out if it matches all specified fields within a single filter entry.

Correlate with Elasticsearch Audit Logs

When Kibana makes requests to Elasticsearch on behalf of a user, both systems record the same trace.id (passed via the X-Opaque-Id header). This is the primary key for correlating events across the two audit logs.

Prerequisite: Elasticsearch audit must be enabled via the cluster settings API. See the elasticsearch-audit skill for setup instructions, event types, and ES-specific filter policies.

Correlation workflow

Find the suspicious event in the Kibana audit log.
Extract its trace.id value.
Search the ES audit index (.security-audit-*) for all events with the same trace.id.
Review the combined timeline to understand what ES-level operations the Kibana action triggered.

The elasticsearch-audit skill also documents this workflow from the ES side — use it when starting from an ES audit event and looking for the originating Kibana action.

Search ES audit by trace ID

Given a suspicious Kibana event (e.g. a saved object deletion), extract its trace.id and search the ES audit index:

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

Secondary correlation fields: user.name, source.ip, and @timestamp (time-window joins).

Ship Kibana audit logs to Elasticsearch

To query Kibana audit events alongside ES audit events, ship the Kibana audit log file to an Elasticsearch index using Filebeat:

filebeat.inputs:
  - type: log
    paths: ["/path/to/kibana/data/audit.log"]
    json.keys_under_root: true
    json.add_error_key: true

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "kibana-audit-%{+yyyy.MM.dd}"

Once indexed, both .security-audit-* (ES) and kibana-audit-* (Kibana) can be searched together using a multi-index query filtered by trace.id.

Examples

Enable Kibana audit for compliance

Request: "Enable Kibana audit logging and keep 10 rotated log files."

xpack.security.audit.enabled: true
xpack.security.audit.appender:
  type: rolling-file
  fileName: /var/log/kibana/audit.log
  policy:
    type: time-interval
    interval: 24h
  strategy:
    type: numeric
    max: 10

Restart Kibana after applying.

Investigate a deleted dashboard

Request: "Someone deleted a dashboard. Check the Kibana audit log."

Search the Kibana audit log (or the indexed kibana-audit-* data) for saved_object_delete events with kibana.saved_object.type: dashboard. Extract the trace.id and cross-reference with the ES audit index to see the underlying Elasticsearch operations.

Reduce audit noise from saved object searches

Request: "Kibana audit logs are too large because of constant saved_object_find events."

xpack.security.audit.ignore_filters:
  - actions: [saved_object_find]
    categories: [database]

This suppresses high-volume read operations while preserving create, update, and delete events.

Guidelines

Always enable alongside Elasticsearch audit

For full coverage, enable audit in both kibana.yml and Elasticsearch. Without Kibana audit, saved object access and Kibana login events are invisible. Without ES audit, cluster-level operations are invisible. See the elasticsearch-audit skill for ES-side setup.

Use trace.id for correlation

When investigating a Kibana event, always extract trace.id and search the ES audit index (.security-audit-*). This reveals the full chain of operations triggered by a single Kibana action. See Correlate with Elasticsearch Audit Logs above for queries.

Filter noisy read events

saved_object_find generates very high volume on busy Kibana instances. Suppress it unless you specifically need to audit read access.

Ship logs to Elasticsearch for unified querying

Kibana audit logs are written to files by default. Ship them to Elasticsearch via Filebeat for programmatic querying alongside ES audit events.

Rotate and retain appropriately

Configure rolling-file rotation to avoid filling the disk. A 30-90 day retention is typical for compliance.

Deployment Compatibility

Capability	Self-managed	ECH	Serverless
Kibana audit (`kibana.yml`)	Yes	Via Cloud UI	Not available
Rolling-file appender	Yes	Via Cloud UI	Not available
Console appender	Yes	Yes	Not available
Ignore filters	Yes	Via Cloud UI	Not available
Correlate via `trace.id`	Yes	Yes	Not available
Ship to ES via Filebeat	Yes

ECH notes: Kibana audit is enabled via the deployment edit page in the Cloud console. Log files are accessible through the Cloud console deployment logs.

Serverless notes:

Kibana audit logging is not user-configurable on Serverless. Security events are managed by Elastic as part of the platform.
If a user asks about Kibana auditing on Serverless, direct them to the Elastic Cloud console or their account team.

Weekly Installs

128

Repository

elastic/agent-skills

GitHub Stars

First Seen

10 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

cursor116

github-copilot111

opencode110

gemini-cli110

codex110

amp109

DOCX文件创建、编辑与分析完整指南 - 使用docx-js、Pandoc和Python脚本

51,800 周安装

Kibana 访问权限	对 `kibana.yml` 的文件系统访问权限（自托管）或 Cloud 控制台访问权限（ECH）
许可证	审计日志需要黄金版、白金版、企业版或试用版许可证
Elasticsearch URL	用于对 `.security-audit-*` 进行关联查询的集群端点