Kibana Dashboard access logs

We use ROR enterprise. I want to get the audit logs on Kibana dashboard access. I need the information on dashboard usage. When a dashboard was last accessed and who accessed it. I couldn’t find that information in readonlyrest_audit index. Below is my ROR audit config.

Elasticsearch Version: 7.17.1
ROR Version: 1.38.0

audit_collector: true
    audit_serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer
    audit_index_template: "'readonlyrest_audit'-yyyy-MM"
    prompt_for_basic_auth: true

1 Like

Hi @zeeshan,

Good question, out of the box with our audit logs you can

  • Audit who logged in and when
  • Audit who had read access to certain indices and when

But the access to a certain dashboard is a Kibana level event that does not necessarily produce any conspicuous event in Elasticsearch to be audited. Unless we explicitly make that happen on the Kibana plugin by creating a custom audit event.

This could be a request for feature. And since we are at it, what other custom audit events should Kibana produce?

Hi @sscarduzio ,

Can we have audit events for the following Kibana elements:

  1. Dashboard
  2. Visualization
  3. Canvas
  4. Alert Rules
  5. Index patterns
  6. Ingest Pipelines
  7. Rollups Jobs

This would be really helpful for us and others who wants to audit or clean up kibana elements which are not used in a while. Our primary use case is to remove the dashboards and visualization which are not accessed in N number of days.

1 Like

This is actually a very cool use case, will have a look.

What I know for sure is that Kibana attaches to almost every request a header carrying the corresponding Kibana path and HTTP method as a header. So you will find some kibana path (including the dashboard id) already in the headers section.

1 Like