However, whenever I attempt to log into the Kibana interface (successfully using LDAP or using a local admin account), a single event gets logged with:
# If enable_request_details is true then the audit log event will also contain
# details like the search query. Default is false.
opendistro_security.audit.enable_request_details: true
# Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
#opendistro_security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"
Hmm - if I use this setting (opendistro-1.3) my elasticsearch does not start up:
[2020-02-25T11:38:35,232][ERROR][o.e.b.Bootstrap ] [<myservername>] Exception
java.lang.IllegalArgumentException: unknown setting [opendistro_security.audit.enable_request_details] did you mean any of [opendistro_security.audit.enable_rest, opendistro_security.audit.enable_transport, opendistro_security.audit.log_request_body]?
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:531) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:476) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:447) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:418) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:149) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.node.Node.<init>(Node.java:357) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.node.Node.<init>(Node.java:258) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-7.3.2.jar:7.3.2]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.3.2.jar:7.3.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.3.2.jar:7.3.2]
Each time I go to the Kibana login screen a LOGIN_FAILED event with user <NONE> is logged. I think this is because Kibana first tries to authenticate the user as anonymous, and so a login failed event is recorded, but this behavior seems not correct to me, and leading to a lot of false positives is someone is using this feature for security breaches detection.