SearchGuard auditlogs

Hi i have configured Searchguard with the following auditing options:

searchguard.audit.type: internal_elasticsearch
searchguard.audit.enable_rest: true
searchguard.audit.enable_transport: true
searchguard.audit.ignore_users: NONE
searchguard.audit.config.index: auditlogindex

It seems to be logging every activity created on the local machine with cURL commands but if i login with an admin user trough Kibana, nothing is written to the auditlog.
The error log produces no obvious errors either.
Is there any obvious reasons for this?

I will post more details if needed.

Kind regards
Carl

What is ES version?

if i login with an admin user trough Kibana, nothing is written to the auditlog

What exactly do you expect to be logged? If you expect AUTHENTICATED and GRANTED_PRIVILEGES categories, you should enable them. For example, the configuration to enable all categories:

elasticsearch.yml

searchguard.audit.type: internal_elasticsearch
searchguard.audit.config.disabled_rest_categories: NONE
searchguard.audit.config.disabled_transport_categories: NONE
searchguard.audit.ignore_users: NONE
searchguard.audit.config.index: auditlogindex

Put it and try to login Kibana using the admin credentials, then search the audit log:

GET auditlogindex/_search
{
  "query": {
    "match": {
      "audit_category": "GRANTED_PRIVILEGES"
    }
  }
}

As the result you will see docs like this one:

      {
        "_index" : "auditlogindex",
        "_type" : "_doc",
        "_id" : "4Y_jWnIBc9695KgEgDwv",
        "_score" : 0.6179995,
        "_source" : {
          "audit_trace_task_parent_id" : "VZpOoPUkS2Weql1BZ3VU8Q:227",
          "audit_cluster_name" : "es-docker-cluster",
          "audit_transport_headers" : {
            "_sg_remote_address_header" : "rO0ABXNyABpqYXZhLm5ldC5JbmV0U29ja2V0QWRkcmVzc0ZxlGFv+apFAwADSQAEcG9ydEwABGFkZHJ0ABZMamF2YS9uZXQvSW5ldEFkZHJlc3M7TAAIaG9zdG5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cgAWamF2YS5uZXQuU29ja2V0QWRkcmVzc0hh9mL0l51qAgAAeHAAAOWSc3IAFGphdmEubmV0LkluZXRBZGRyZXNzLZtXr5/j69sDAANJAAdhZGRyZXNzSQAGZmFtaWx5TAAIaG9zdE5hbWVxAH4AAnhwrBMABQAAAAJweHB4",
            "_sg_remotecn" : "es-docker-cluster",
            "_sg_user_header" : "rO0ABXNyACNjb20uZmxvcmFndW5uLnNlYXJjaGd1YXJkLnVzZXIuVXNlcrOovZPrl0fcAgAGWgAKaXNJbmplY3RlZEwACmF0dHJpYnV0ZXN0AA9MamF2YS91dGlsL01hcDtMAARuYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAPcmVxdWVzdGVkVGVuYW50cQB+AAJMAAVyb2xlc3QAD0xqYXZhL3V0aWwvU2V0O0wAEHNlYXJjaEd1YXJkUm9sZXNxAH4AA3hwAHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHQADGtpYmFuYXNlcnZlcnBzcgARamF2YS51dGlsLkhhc2hTZXS6RIWVlri3NAMAAHhwdwwAAAAQP0AAAAAAAAB4c3EAfgAIdwwAAAAQP0AAAAAAAAB4",
            "_sg_origin_header" : "REST",
            "_sg_initial_action_class_header" : "GetIndexRequest"
          },
          "audit_node_name" : "sgssl-2.example.com",
          "audit_trace_task_id" : "dYf4iWQ1RZ-rROxKnjMcJQ:444",
          "audit_transport_request_type" : "GetIndexRequest",
          "audit_category" : "GRANTED_PRIVILEGES",
          "audit_request_origin" : "REST",
          "audit_node_id" : "dYf4iWQ1RZ-rROxKnjMcJQ",
          "audit_request_layer" : "TRANSPORT",
          "@timestamp" : "2020-05-28T10:45:58.379+00:00",
          "audit_format_version" : 4,
          "audit_request_remote_address" : "172.19.0.5",
          "audit_request_privilege" : "indices:admin/get",
          "audit_node_host_address" : "172.19.0.2",
          "audit_request_effective_user" : "kibanaserver",
          "audit_trace_indices" : [
            ".kibana"
          ],
          "audit_node_host_name" : "172.19.0.2"
        }
      }

The related documentation:


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.