We have a project from a client and the requirement is to setup audit logs for all the activities in Kibana/ES. We setup Shield trial and it worked nicely. However one of the requirement is to capture what data fields/time frame that the queries ran. For ex, we want to see the activity of user A after they logged in, what queries/dashboards they accessed within what time range against what columns.
I checked the documentation but the log level for Shield doesn't specify anything like that. Can you guys please advise?
Also, anyway to achieve such things without using Shield?
Unfortunately, that's not currently possible with Shield. Shield can log the endpoints a user accesses (via the access_granted log), but it currently doesn't log the request body. So you won't know what queries/times/dates they are running.
It's something we'd like to add to audit logging, just not sure when it'll be added
Without Shield, you'd need to setup some kind of proxy that intercepts the requests, logs the endpoint + body, then forwards it to Kibana. You'd also have to setup the ACL etc so that users can authorize and only access their allowed resources, and some way to collect those logs to send somewhere for processing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.