Audit Logs - Showing "FAILED_LOGIN" for successful login attempts

I have enabled audit logging (which I believe was enabled by default anyways) using the following configuration in my elasticsearch.yml:

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.enable_rest: true
opendistro_security.audit.enable_transport: true

However, whenever I attempt to log into the Kibana interface (successfully using LDAP or using a local admin account), a single event gets logged with:

audit_category: FAILED_LOGIN
audit_request_effective_user: <NONE>
...

Does anyone have any idea why this is?

I believe you’re looking for

# If enable_request_details is true then the audit log event will also contain
# details like the search query. Default is false. 
opendistro_security.audit.enable_request_details: true
# Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
#opendistro_security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"

The reference file for the settings can be found here too: https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/elasticsearch.yml.example

Hmm - if I use this setting (opendistro-1.3) my elasticsearch does not start up:

[2020-02-25T11:38:35,232][ERROR][o.e.b.Bootstrap          ] [<myservername>] Exception
java.lang.IllegalArgumentException: unknown setting [opendistro_security.audit.enable_request_details] did you mean any of [opendistro_security.audit.enable_rest, opendistro_security.audit.enable_transport, opendistro_security.audit.log_request_body]?
    at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:531) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:476) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:447) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:418) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:149) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.node.Node.<init>(Node.java:357) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.node.Node.<init>(Node.java:258) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) [elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-7.3.2.jar:7.3.2]
    at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.3.2.jar:7.3.2]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.3.2.jar:7.3.2]

also with 1.6 opendistro ?

Same happens to me with OpenDistro 1.6.

Each time I go to the Kibana login screen a LOGIN_FAILED event with user <NONE> is logged. I think this is because Kibana first tries to authenticate the user as anonymous, and so a login failed event is recorded, but this behavior seems not correct to me, and leading to a lot of false positives is someone is using this feature for security breaches detection.