Audit log does not log trough Kibana

Hi audit logging i SearchGuard does not work as expected,
I have created an audit index, and it gets populated with events however the only type events stored are AUTHENTICATION_FAILED events.
besides this activities performed trough Search-Guard-kibana does not seem to be logged.
Here is my configuration files for SearchGuard and kibana:

elasticsearch.yml

node.name: lxa
network.host: lxa

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

#discovery.zen.ping.unicast.hosts: [
#"$HOSTNAME"

discovery.zen.minimum_master_nodes: 1
discovery.seed_hosts:
 - lxa
cluster.initial_master_nodes:
 - lxa

node.master: true
node.data: true

#HTTP
xpack.security.enabled: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_type: PKCS12
searchguard.ssl.http.keystore_filepath: config/server.p12
searchguard.ssl.http.keystore_password: xx
searchguard.ssl.http.pemtrustedcas_filepath: config/Trust.UAll.pem
searchguard.ssl.http.truststore_filepath: config/truststore.jks
searchguard.ssl.http.truststore_password: xx

#TRANSPORT
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.keystore_filepath: config/server.p12
searchguard.ssl.transport.keystore_password: xx
searchguard.ssl.transport.pemtrustedcas_filepath: config/Trust.UAll.pem
searchguard.ssl.transport.truststore_filepath: config/truststore.jks
searchguard.ssl.transport.truststore_password: xx

searchguard.authcz.admin_dn:
  - "C=SE,O=xx,CN=lxa"

#AUDIT
searchguard.audit.type: internal_elasticsearch
searchguard.audit.enable_rest: true
searchguard.audit.enable_transport: true
searchguard.audit.ignore_users: NONE
searchguard.audit.config.index: "csl"
searchguard.audit.resolve_bulk_requests: true

kibana.yml

#Kibana
server.port: 5601
server.host: lxa
server.name: lxa
elasticsearch.hosts: "https://lxa:9200"

# Configure the Kibana internal server user
searchguard.auth.type: "basicauth"
elasticsearch.username: "admin"
elasticsearch.password: "admin"

# Whitelist the Search Guard Multi Tenancy Header
elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant" ]

# X-Pack security needs to be disabled for Search Guard to work properly
xpack.security.enabled: false

searchguard.allow_client_certificates: true
elasticsearch.ssl.certificateAuthorities: /etc/elasticsearch/config/Trust.UAll.pem
elasticsearch.ssl.keystore.path: /etc/elasticsearch/config/server.p12
elasticsearch.ssl.keystore.password: xx
elasticsearch.ssl.verificationMode: none

Any ideas on how i can get SearchGuard to log all events posted trough the Kibana console?
Best regards
C

Hi. Try to enable the event logging in all categories.
elasticsearch.yml

searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE

Hi thanks for your tip, the problem more to be more specific is that the actions performed on an index are not listed for example created indicies does not appear in the audit log, neither operations performed on those. even with the added settings
searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE

Are there other options to try, have i missed some obvious option in my config file, the activities that i want to audit are performed trough the Kibana Dev Console.

Best regards
Carl

SG audit is only about the actions that are related to authentication and authorization. Why do you need to log your operations in the audit log?

Hi @carl
I was wrong. SG can audit read/write access on the document and field levels.


Also, you can audit changes to SG and Elasticsearch configuration.


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.