Audit ES users

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.1

  • Installed and used enterprise modules, if any kibana , searchguard 6

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).

I have enabled slowlog ES properties , With this I could only see the query details not the user id information.

You can achieve this by using the “Auditlog” functionality of Search Guard: https://docs.search-guard.com/latest/audit-logging-compliance#audit-logging

Every request (and so every search request) is recorded together with all details like search query, affected indices, user, remote ip, etc

The records can either be stored in your elasticsearch cluster, in an external elasticsearch or sent to a webhook, to kafka or can be written to the logs on disk.

This is a commercial feature of Search Guard and you need, after the trial period of 60 days exceeds, to purchase a license.

See https://search-guard.com/product/ and https://search-guard.com/licensing/

···

On Friday, 21 December 2018 00:17:50 UTC+1, rud wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.1
  • Installed and used enterprise modules, if any kibana , searchguard 6
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).

I have enabled slowlog ES properties , With this I could only see the query details not the user id information.

Yes, We have license.

I have tried the audit log functionality with below, It’s creating another index sg6-dateformat . I want these to be captured in the logs.

searchguard.audit.type: internal_elasticsearch
searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE
···

On Thursday, December 20, 2018 at 5:37:57 PM UTC-6, Search Guard wrote:

You can achieve this by using the “Auditlog” functionality of Search Guard: https://docs.search-guard.com/latest/audit-logging-compliance#audit-logging

Every request (and so every search request) is recorded together with all details like search query, affected indices, user, remote ip, etc

The records can either be stored in your elasticsearch cluster, in an external elasticsearch or sent to a webhook, to kafka or can be written to the logs on disk.

This is a commercial feature of Search Guard and you need, after the trial period of 60 days exceeds, to purchase a license.

See https://search-guard.com/product/ and https://search-guard.com/licensing/

On Friday, 21 December 2018 00:17:50 UTC+1, rud wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.1
  • Installed and used enterprise modules, if any kibana , searchguard 6
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).

I have enabled slowlog ES properties , With this I could only see the query details not the user id information.