We use ROR enterprise. I want to get the audit logs on Kibana dashboard access. I need the information on dashboard usage. When a dashboard was last accessed and who accessed it. I couldn’t find that information in readonlyrest_audit index. Below is my ROR audit config.
Good question, out of the box with our audit logs you can
Audit who logged in and when
Audit who had read access to certain indices and when
But the access to a certain dashboard is a Kibana level event that does not necessarily produce any conspicuous event in Elasticsearch to be audited. Unless we explicitly make that happen on the Kibana plugin by creating a custom audit event.
This could be a request for feature. And since we are at it, what other custom audit events should Kibana produce?
Can we have audit events for the following Kibana elements:
Dashboard
Visualization
Canvas
Alert Rules
Index patterns
Ingest Pipelines
Rollups Jobs
This would be really helpful for us and others who wants to audit or clean up kibana elements which are not used in a while. Our primary use case is to remove the dashboards and visualization which are not accessed in N number of days.
This is actually a very cool use case, will have a look.
What I know for sure is that Kibana attaches to almost every request a header carrying the corresponding Kibana path and HTTP method as a header. So you will find some kibana path (including the dashboard id) already in the headers section.