Enable and configure audit logging for Kibana via kibana.yml. Kibana audit logs cover application-layer security
Works with
events that Elasticsearch does not see: saved object CRUD (dashboards, visualizations, index patterns, rules, cases),
login/logout, session expiry, space operations, and Kibana-level RBAC enforcement.
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionkibana-auditExecute the skills CLI command in your project's root directory to begin installation:
Fetches kibana-audit from elastic/agent-skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate kibana-audit. Access via /kibana-audit in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Create detailed user stories, acceptance criteria, and feature specs
Example
Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios
Reduce spec writing time by 50%, ensure comprehensive coverage
Research competitors, compare features, identify gaps
Example
Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities
Complete competitive research in 2 hours instead of 2 days
Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs
Example
Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale
0
total installs
0
this week
296
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
296
stars
Enable and configure audit logging for Kibana via kibana.yml. Kibana audit logs cover application-layer security
events that Elasticsearch does not see: saved object CRUD (dashboards, visualizations, index patterns, rules, cases),
login/logout, session expiry, space operations, and Kibana-level RBAC enforcement.
For Elasticsearch audit logging (authentication failures, access grants/denials, security config changes), see elasticsearch-audit. For authentication and API key management, see elasticsearch-authn. For roles and user management, see elasticsearch-authz.
For detailed event types, schema, and correlation queries, see references/api-reference.md.
Deployment note: Kibana audit configuration differs across deployment types. See Deployment Compatibility for details.
saved_object_find)trace.id| Item | Description |
|---|---|
| Kibana access | Filesystem access to kibana.yml (self-managed) or Cloud console access (ECH) |
| License | Audit logging requires a gold, platinum, enterprise, or trial license |
| Elasticsearch URL | Cluster endpoint for correlation queries against .security-audit-* |
Prompt the user for any missing values.
Kibana audit is configured statically in kibana.yml (not via API). A Kibana restart is required after changes.
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: /path/to/kibana/data/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10
To disable, set xpack.security.audit.enabled to false and restart Kibana.
| Type | Description |
|---|---|
rolling-file |
Writes to a file with rotation policy. Recommended. |
console |
Writes to stdout. Useful for containerized deployments. |
Kibana audit events use ECS format with the same core fields as ES audit (event.action, event.outcome, user.name,
trace.id, @timestamp) plus Kibana-specific fields like kibana.saved_object.type, kibana.saved_object.id, and
kibana.space_id.
Key event actions:
| Event action | Description | Category |
|---|---|---|
saved_object_create |
A saved object was created | database |
saved_object_get |
A saved object was read | database |
saved_object_update |
A saved object was updated | database |
saved_object_delete |
A saved object was deleted | database |
saved_object_find |
A saved object search was performed | database |
saved_object_open_point_in_time |
A PIT was opened on saved objects | database |
saved_object_close_point_in_time |
A PIT was closed on saved objects | database |
saved_object_resolve |
A saved object was resolved (alias redirect) | database |
login |
A user logged in (success or failure) | authentication |
logout |
A user logged out | authentication |
session_cleanup |
An expired session was cleaned up | authentication |
access_agreement_acknowledged |
A user accepted the access agreement | authentication |
space_create |
A Kibana space was created | web |
space_update |
A Kibana space was updated | web |
space_delete |
A Kibana space was deleted | web |
space_get |
A Kibana space was retrieved | web |
See references/api-reference.md for the complete event schema.
Suppress noisy events using ignore_filters in kibana.yml:
xpack.security.audit.ignore_filters:
- actions: [saved_object_find]
categories: [database]
| Filter field | Type | Description |
|---|---|---|
actions |
list | Event actions to ignore |
categories |
list | Event categories to ignore |
An event is filtered out if it matches all specified fields within a single filter entry.
When Kibana makes requests to Elasticsearch on behalf of a user, both systems record the same trace.id (passed via the
X-Opaque-Id header). This is the primary key for correlating events across the two audit logs.
Prerequisite: Elasticsearch audit must be enabled via the cluster settings API. See the elasticsearch-audit skill for setup instructions, event types, and ES-specific filter policies.
trace.id value..security-audit-*) for all events with the same trace.id.The elasticsearch-audit skill also documents this workflow from the ES side — use it when starting from an ES audit event and looking for the originating Kibana action.
Given a suspicious Kibana event (e.g. a saved object deletion), extract its trace.id and search the ES audit index:
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "trace.id": "'"${TRACE_ID}"'" } },
{ "range": { "@timestamp": { "gte": "now-24h" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "asc" } }]
}'
Secondary correlation fields: user.name, source.ip, and @timestamp (time-window joins).
To query Kibana audit events alongside ES audit events, ship the Kibana audit log file to an Elasticsearch index using Filebeat:
filebeat.inputs:
- type: log
paths: ["/path/to/kibana/data/audit.log"]
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["https://localhost:9200"]
index: "kibana-audit-%{+yyyy.MM.dd}"
Once indexed, both .security-audit-* (ES) and kibana-audit-* (Kibana) can be searched together using a multi-index
query filtered by trace.id.
Request: "Enable Kibana audit logging and keep 10 rotated log files."
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: rolling-file
fileName: /var/log/kibana/audit.log
policy:
type: time-interval
interval: 24h
strategy:
type: numeric
max: 10
Restart Kibana after applying.
Request: "Someone deleted a dashboard. Check the Kibana audit log."
Search the Kibana audit log (or the indexed kibana-audit-* data) for saved_object_delete events with
kibana.saved_object.type: dashboard. Extract the trace.id and cross-reference with the ES audit index to see the
underlying Elasticsearch operations.
Request: "Kibana audit logs are too large because of constant saved_object_find events."
xpack.security.audit.ignore_filters:
- actions: [saved_object_find]
categories: [database]
This suppresses high-volume read operations while preserving create, update, and delete events.
For full coverage, enable audit in both kibana.yml and Elasticsearch. Without Kibana audit, saved object access and
Kibana login events are invisible. Without ES audit, cluster-level operations are invisible. See the
elasticsearch-audit skill for ES-side setup.
When investigating a Kibana event, always extract trace.id and search the ES audit index (.security-audit-*). This
reveals the full chain of operations triggered by a single Kibana action. See
Correlate with Elasticsearch Audit Logs above for queries.
saved_object_find generates very high volume on busy Kibana instances. Suppress it unless you specifically need to
audit read access.
Kibana audit logs are written to files by default. Ship them to Elasticsearch via Filebeat for programmatic querying alongside ES audit events.
Configure rolling-file rotation to avoid filling the disk. A 30-90 day retention is typical for compliance.
| Capability | Self-managed | ECH | Serverless |
|---|---|---|---|
Kibana audit (kibana.yml) |
Yes | Via Cloud UI | Not available |
| Rolling-file appender | Yes | Via Cloud UI | Not available |
| Console appender | Yes | Yes | Not available |
| Ignore filters | Yes | Via Cloud UI | Not available |
Correlate via trace.id |
Yes | Yes | Not available |
| Ship to ES via Filebeat | Yes | Yes | Not available |
ECH notes: Kibana audit is enabled via the deployment edit page in the Cloud console. Log files are accessible through the Cloud console deployment logs.
Serverless notes:
Make data-driven prioritization decisions faster
Draft PRDs, status updates, and stakeholder presentations
Example
Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement
Save 3-5 hours/week on communication overhead
Prerequisites
Time Estimate
30-60 minutes to see productivity improvements
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.
✗ Avoid when
Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.
shadcn/improve
mattpocock/skills
parcadei/continuous-claude-v3
cursor/plugins
ailabs-393/ai-labs-claude-skills
pproenca/dot-skills
kibana-audit has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for kibana-audit matched our evaluation — installs cleanly and behaves as described in the markdown.
kibana-audit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: kibana-audit is the kind of skill you can hand to a new teammate without a long onboarding doc.
kibana-audit has been reliable in day-to-day use. Documentation quality is above average for community skills.
kibana-audit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Keeps context tight: kibana-audit is the kind of skill you can hand to a new teammate without a long onboarding doc.
We added kibana-audit from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Useful defaults in kibana-audit — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
kibana-audit fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
showing 1-10 of 50