Audit Logging for Elastic Search 2.3.1 with Shield plugin

Hi guys,

We have a project from a client and the requirement is to setup audit logs for all the activities in Kibana/ES. We setup Shield trial and it worked nicely. However one of the requirement is to capture what data fields/time frame that the queries ran. For ex, we want to see the activity of user A after they logged in, what queries/dashboards they accessed within what time range against what columns.

I checked the documentation but the log level for Shield doesn't specify anything like that. Can you guys please advise?

Also, anyway to achieve such things without using Shield?

Thank you,

Unfortunately, that's not currently possible with Shield. Shield can log the endpoints a user accesses (via the access_granted log), but it currently doesn't log the request body. So you won't know what queries/times/dates they are running.

It's something we'd like to add to audit logging, just not sure when it'll be added :slight_smile:

Without Shield, you'd need to setup some kind of proxy that intercepts the requests, logs the endpoint + body, then forwards it to Kibana. You'd also have to setup the ACL etc so that users can authorize and only access their allowed resources, and some way to collect those logs to send somewhere for processing.

thanks for the prompt reply Zachary. We will dig into further and see if anything we can do anything by setting up the interception.