Auditing responses?

Hi folks -

Looking at replacing a legacy audit solution and SG’s audit features look like it’d fit the bill nicely.

I’ve a bit of a strange use case in that I’m needing the actual Elasticsearch responses for _search queries captured also, i.e. needing to see what the user queried and what they got back at that moment.

I couldn’t see any facility for this in the documentation, is there any solution for this? Or a better way of doing it I’ve missed?



The closest thing for this is the read history audit logging:

It is mainly used to track access to specific fields (like PII fields under GDPR regulation), but instead of listing individual fields you can also use wildcards, which would then track access to any field.

But be aware that capturing and storing the complete ES response for any request can and will put additional load on your cluster, so use with care.

Hi jkressin -

Thanks for the quick response, looks interesting and might fit the bill.


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.