What is ES version?
if i login with an admin user trough Kibana, nothing is written to the auditlog
What exactly do you expect to be logged? If you expect AUTHENTICATED and GRANTED_PRIVILEGES categories, you should enable them. For example, the configuration to enable all categories:
elasticsearch.yml
searchguard.audit.type: internal_elasticsearch
searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE
searchguard.audit.ignore_users: NONE
searchguard.audit.config.index: auditlogindex
Put it and try to login Kibana using the admin credentials, then search the audit log:
GET auditlogindex/_search
{
"query": {
"match": {
"audit_category": "GRANTED_PRIVILEGES"
}
}
}
As the result you will see docs like this one:
{
"_index" : "auditlogindex",
"_type" : "_doc",
"_id" : "4Y_jWnIBc9695KgEgDwv",
"_score" : 0.6179995,
"_source" : {
"audit_trace_task_parent_id" : "VZpOoPUkS2Weql1BZ3VU8Q:227",
"audit_cluster_name" : "es-docker-cluster",
"audit_transport_headers" : {
"_sg_remote_address_header" : "rO0ABXNyABpqYXZhLm5ldC5JbmV0U29ja2V0QWRkcmVzc0ZxlGFv+apFAwADSQAEcG9ydEwABGFkZHJ0ABZMamF2YS9uZXQvSW5ldEFkZHJlc3M7TAAIaG9zdG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cgAWamF2YS5uZXQuU29ja2V0QWRkcmVzc0hh9mL0l51qAgAAeHAAAOWSc3IAFGphdmEubmV0LkluZXRBZGRyZXNzLZtXr5/j69sDAANJAAdhZGRyZXNzSQAGZmFtaWx5TAAIaG9zdE5hbWVxAH4AAnhwrBMABQAAAAJweHB4",
"_sg_remotecn" : "es-docker-cluster",
"_sg_user_header" : "rO0ABXNyACNjb20uZmxvcmFndW5uLnNlYXJjaGd1YXJkLnVzZXIuVXNlcrOovZPrl0fcAgAGWgAKaXNJbmplY3RlZEwACmF0dHJpYnV0ZXN0AA9MamF2YS91dGlsL01hcDtMAARuYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAPcmVxdWVzdGVkVGVuYW50cQB+AAJMAAVyb2xlc3QAD0xqYXZhL3V0aWwvU2V0O0wAEHNlYXJjaEd1YXJkUm9sZXNxAH4AA3hwAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHQADGtpYmFuYXNlcnZlcnBzcgARamF2YS51dGlsLkhhc2hTZXS6RIWVlri3NAMAAHhwdwwAAAAQP0AAAAAAAAB4c3EAfgAIdwwAAAAQP0AAAAAAAAB4",
"_sg_origin_header" : "REST",
"_sg_initial_action_class_header" : "GetIndexRequest"
},
"audit_node_name" : "sgssl-2.example.com",
"audit_trace_task_id" : "dYf4iWQ1RZ-rROxKnjMcJQ:444",
"audit_transport_request_type" : "GetIndexRequest",
"audit_category" : "GRANTED_PRIVILEGES",
"audit_request_origin" : "REST",
"audit_node_id" : "dYf4iWQ1RZ-rROxKnjMcJQ",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2020-05-28T10:45:58.379+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "172.19.0.5",
"audit_request_privilege" : "indices:admin/get",
"audit_node_host_address" : "172.19.0.2",
"audit_request_effective_user" : "kibanaserver",
"audit_trace_indices" : [
".kibana"
],
"audit_node_host_name" : "172.19.0.2"
}
}
The related documentation:
Implement Audit Logging on your Elasticsearch cluster and stay compliant with GDPR, HIPAA, ISO, PCI and SOX.