Rudra
December 20, 2018, 11:17pm
1
When asking questions, please provide the following information:
Search Guard and Elasticsearch version 6.1
Installed and used enterprise modules, if any kibana , searchguard 6
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any
I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).
I have enabled slowlog ES properties , With this I could only see the query details not the user id information.
You can achieve this by using the “Auditlog” functionality of Search Guard: Configuring Audit Logging | Security for Elasticsearch | Search Guard
Every request (and so every search request) is recorded together with all details like search query, affected indices, user, remote ip, etc
The records can either be stored in your elasticsearch cluster, in an external elasticsearch or sent to a webhook, to kafka or can be written to the logs on disk.
This is a commercial feature of Search Guard and you need, after the trial period of 60 days exceeds, to purchase a license.
See Search Guard Security | Securing your Elasticsearch cluster with Search Guard and Licensing | Search Guard Community, Enterprise and Compliance Edition
···
On Friday, 21 December 2018 00:17:50 UTC+1, rud wrote:
When asking questions, please provide the following information:
Search Guard and Elasticsearch version 6.1
Installed and used enterprise modules, if any kibana , searchguard 6
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any
I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).
I have enabled slowlog ES properties , With this I could only see the query details not the user id information.
Rudra
December 21, 2018, 4:23pm
3
Yes, We have license.
I have tried the audit log functionality with below, It’s creating another index sg6-dateformat . I want these to be captured in the logs.
searchguard.audit.type: internal_elasticsearch
searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE
···
On Thursday, December 20, 2018 at 5:37:57 PM UTC-6, Search Guard wrote:
You can achieve this by using the “Auditlog” functionality of Search Guard: https://docs.search-guard.com/latest/audit-logging-compliance#audit-logging
Every request (and so every search request) is recorded together with all details like search query, affected indices, user, remote ip, etc
The records can either be stored in your elasticsearch cluster, in an external elasticsearch or sent to a webhook, to kafka or can be written to the logs on disk.
This is a commercial feature of Search Guard and you need, after the trial period of 60 days exceeds, to purchase a license.
See https://search-guard.com/product/ and https://search-guard.com/licensing/
On Friday, 21 December 2018 00:17:50 UTC+1, rud wrote:
When asking questions, please provide the following information:
Search Guard and Elasticsearch version 6.1
Installed and used enterprise modules, if any kibana , searchguard 6
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any
I wanted to see who all users are querying to my Elastic-search cluster. (user id and query details should be the logs).
I have enabled slowlog ES properties , With this I could only see the query details not the user id information.