Does Elasticsearch capture audit logs for Query DSL, EQL and SQL or Not???
No. The list of events which could be captured by the audit logs is here: Audit events | Elasticsearch Guide [8.9] | Elastic
But you can use slow logs for this: Slow Log | Elasticsearch Guide [8.9] | Elastic. I think that using 0
as the threshold will log everything. But be careful as it will be very verbose.
I executed the POST query from REST API, and I am getting this Log (For WINDOWS) using Latest Version or Elasticsearch:
{"type":"audit", "timestamp":"2023-07-27T12:25:06,662+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.1.5", "host.ip":"192.168.1.5", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:64848", "realm":"reserved", "url.path":"/ashish_hcl/_doc/1", "request.method":"POST", "request.body":" {\r\n "firstname": "Subhash",\r\n "lastname": "Chandra"\r\n}", "request.id":"qGhK_WaNTiyI_GwR1N8xQQ"}
But when I am using Elasticsearch 7.15.2 version in Red Hat Linux then I am not able to Get the audit logs.
How did you change the log level on the RedHat machine?
I did not change the log level by default it's INFO there. Configuration for both Windows and Red Hat machine is same only Difference is in Windows I am using latest version of Elasticsearch and in Red Hat I am using 7.15.2 version.
I don't know.
I'd in any case upgrade the RedHat machine to benefit from all the security patches at least.
Did you activate the trial on the RedHat cluster?
What are your elasticsearch.yml settings in the RedHat cluster?
And anyway, this is not related to the original question, right?
Does Elasticsearch capture audit logs for Query DSL, EQL and SQL or Not???
The trace you shown:
{"type":"audit", "timestamp":"2023-07-27T12:25:06,662+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.1.5", "host.ip":"192.168.1.5", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:64848", "realm":"reserved", "url.path":"/ashish_hcl/_doc/1", "request.method":"POST", "request.body":" {\r\n "firstname": "Subhash",\r\n "lastname": "Chandra"\r\n}", "request.id":"qGhK_WaNTiyI_GwR1N8xQQ"}
Is an authentication one: "event.action":"authentication_success"
. So not sure how this is all related and what you are trying to do.
Yes, I activated the Trail License already.
Actually, I am executing queries DSL, EQL and SQL and I want audit logs for the queries which I perform.
Suppose I am using POST to create something in cluster:
POST demo/_doc/2
{
"title":"Project2"
}
And I am able to see the audit logs for this.
After this, I am executing this query:
GET demo/_search
But did not get audit log for above query.
My question is that Should we get SQL, EQL and Query DSL queries also or not?
Could you share the audit logs you got for this call?
@ashishshukla wrote:
Please find the below event log
{"type":"audit", "timestamp":"2023-07-27T15:40:31,728+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.251.17", "host.ip":"192.168.251.17", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:52490", "realm":"reserved", "url.path":"/shukla_test/_doc/2", "request.method":"POST", "request.body":" {\r\n "firstname": "Krishna",\r\n "lastname": "kumar"\r\n}", "request.id":"qaaUAg8sQKedKKrkcia4Xw"}
About this request:
POST /shukla_test/_doc/2
{
"firstname": "Krishna",
"lastname": "kumar"
}
Note for @ashishshukla and @Subrato1
Please format your code, logs or configuration files using </>
icon as explained in this guide and not the citation button. It will make your post more readable.
Or use markdown style like:
```
CODE
```
This is the icon to use if you are not using markdown format:
There's a live preview panel for exactly this reasons.
Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
As you can see in the logs, the event logged is a authentication_success
. It's not a trace of the execution of the _search
.
Thanks For your Suggestion, I am able to understand.
Can you please tell me how to execute the SQL and EQL queries for Elasticsearch??
Please open a new discussion as this one is solved I believe.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.