(1) Can Kibana users enter in-line comments with # or // alongside query and (2) will these be picked up by query logging?

I've searched google and the GitHub repo alongside the forums but haven't been able to find an answer to this question (doesn't help searching "comment" brings up French posts asking "how" to do something!).

From searching around I understand that elasticsearch and Kibana support using comment strings when running queries in console or API.

But, is this also true for users running queries in Kibana through the UI? Can a user run a query, and append it with a comment string and Kibana will ignore the string when running the query accordingly?

And if so, will these comment strings be included in the user query logging in their original raw form or do they get stripped out?

We're trying to find a light and easy solution without doing any reverse proxy or custom authorization schemes where a user adds a comment to their query on a sensitive index (contains PII). Compliance wants us to be able to audit the "purpose" behind the query which matches a Jira ticket field. For our SQL db's we've tackled this requirement by simply having users cite the ticket number as a comment alongside their initial query.

RBAC doesn't really meet the requirement because they want to match each query (or at least an initial query in a "session") with the "purpose" described in the ticket for auditing purposes.

The alternative seems like setting up a reverse proxy and custom auth to redirect but if we can avoid that work with simple procedure then that's more ideal.

If comments aren't possible, any ideas on how to achieve this would be welcome.

Yes, you can add comments as in /* ... */, and they are sent to the server.

Then, if you have audit logging enabled, yeah, the server will include that comment. Indeed I could find my query on the audit logs.

My (minimal) audit settings are:

xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.logfile.events.include: ['authentication_success']

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.