Hi Giorgio,
Kibana Logs Location in Energylogserver
Authentication Logs
- Go to ELS Console → Discover
- Select
audit-*
index pattern
- Use filter:
event_type:authentication_success
Via API:
curl -X GET "https://els-server:9200/audit-*/search" \
-H "Content-Type: application/json" \
-u "admin:password" \
-d '{
"query": {
"term": {"event_type": "authentication_success"}
},
"sort": [{"@timestamp": {"order": "desc"}}],
"size": 10
}'
Kibana System Logs
Check log location first:
cat /etc/kibana/kibana.yml | grep logging
Common locations in ELS:
# Primary location in Energylogserver
tail -f /var/log/elasticsearch/kibana.log
# Alternative location
tail -f /var/log/kibana/kibana.log
# Systemd logs
journalctl -u kibana -f
Quick Commands
Real-time monitoring:
# Watch authentication events
tail -f /var/log/elasticsearch/kibana.log | grep -i "auth\|login"
# System service status
systemctl status kibana
Search for specific events:
# Failed logins
grep -i "authentication_failed" /var/log/elasticsearch/kibana.log
# Errors
grep -i "error\|fatal" /var/log/elasticsearch/kibana.log
Key Points
- Authentication logs: Stored in
audit-*
indices in Elasticsearch
- System logs: Check
/etc/kibana/kibana.yml
for exact path
- ELS specific: Often
/var/log/elasticsearch/kibana.log
- Best method: Use ELS Console with
audit-*
pattern for user activity tracking
Common Audit Event Types
authentication_success
- successful login
authentication_failed
- failed login attempts
access_granted
- access granted
access_denied
- access denied
Useful Queries in ELS Console
All successful logins today:
event_type:authentication_success AND @timestamp:[now/d TO now]
Failed login attempts (last 24h):
event_type:authentication_failed AND @timestamp:[now-24h TO now]
Specific user activity:
user.name:"username" AND @timestamp:[now-7d TO now]