Kibana Dashboard access logs

zeeshan · January 5, 2023, 4:41pm

We use ROR enterprise. I want to get the audit logs on Kibana dashboard access. I need the information on dashboard usage. When a dashboard was last accessed and who accessed it. I couldn’t find that information in readonlyrest_audit index. Below is my ROR audit config.

Elasticsearch Version: 7.17.1
ROR Version: 1.38.0

audit_collector: true
    audit_serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer
    audit_index_template: "'readonlyrest_audit'-yyyy-MM"
    prompt_for_basic_auth: true

sscarduzio · January 5, 2023, 5:10pm

Hi @zeeshan,

Good question, out of the box with our audit logs you can

Audit who logged in and when
Audit who had read access to certain indices and when

But the access to a certain dashboard is a Kibana level event that does not necessarily produce any conspicuous event in Elasticsearch to be audited. Unless we explicitly make that happen on the Kibana plugin by creating a custom audit event.

This could be a request for feature. And since we are at it, what other custom audit events should Kibana produce?

zeeshan · January 6, 2023, 6:31am

Hi @sscarduzio ,

Can we have audit events for the following Kibana elements:

Dashboard
Visualization
Canvas
Alert Rules
Index patterns
Ingest Pipelines
Rollups Jobs

This would be really helpful for us and others who wants to audit or clean up kibana elements which are not used in a while. Our primary use case is to remove the dashboards and visualization which are not accessed in N number of days.

sscarduzio · January 6, 2023, 7:46am

This is actually a very cool use case, will have a look.

What I know for sure is that Kibana attaches to almost every request a header carrying the corresponding Kibana path and HTTP method as a header. So you will find some kibana path (including the dashboard id) already in the headers section.