Auditing Security Events visualizing

security

(Rijin) #1

Hi All ,

I am going to enable Auditing Security Events . Its out put will be an index and a log file .

My question is , how can we use this index and log file ? Is this events are visualizing in kibana ?

In monitoring we can visualize the monitoring data in kibana. I am comparing this Auditing with Monitoring


(Albert Zaharovits) #2

Hi @rijinmp,

There's no complete solution, for what you're describing, inside the elastic stack at the moment.
We are however actively working on it.

The approach we are taking is to use the logfile output for ES auditing, use Filebeat to ship them to an ES index and have templates and dashboards in Kibana for that.

Right now, there is no perfect solution "that just works" like monitoring, you have to put these pieces together yourself if you need it now.


#3

Hi,
I'm installed x-pack trial and checking it's functionality especially for audit events.
I'd like to "record" in .security_audit_log queries performed by kibana users. Now I see in log
only record with request title, for exmaple:
request=[ShardSearchTransportRequest]
If a particular index was searched, how to see exactly what is the search pattern and other details?
Are there other setting in
l
aticsearch.yml?se


(Albert Zaharovits) #4

Hi @ludaca,

The xpack.security.audit.logfile.events.emit_request_body (or xpack.security.audit.index.events.emit_request_body) is the setting you're looking for.
More about them here.


(Rijin) #5

Hi @Albert_Zaharovits

The audit index is created now . I can see this index in monitoring menu in kibana.

Name is like " .security_audit_log-2018.. "

May I visualize this index data in Kibana ?


(Rijin) #6

Can you provide any documentation about this Security audit Dashboard templates ?


(Albert Zaharovits) #7

AFAIK There are no Dashboard templates for the Security Audit. We are working on this.


#8

I'm searching created .security_audit_log and can't find the kibana authenticated user name and request performed by this user. Is it possible at all? or only elastic user can be audited?


(Albert Zaharovits) #9

Yes all users are audited .


(Rijin) #10

HI lucanda ,

It is a hidden index.

If you are searching in KIbana ,

use this menu : management/elasticsearch/index_management

Then enable "Include system indices"

One more thing your user should authorized to see this index.
If you are login as a supers user , you can see it definitely.


#11

Here is my elasticsearch.yml x-pack settings:
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.index.events.emit_request_body: true

I'm logged in kibana with testuser2 and performed some search on index named logstash-panelcasesol-2017-09-23
when I curl .security_audit_log-2018.10.15/_search, and expect to see username "testuser2" and his action , but it's not there
{
"_index" : ".security_audit_log-2018.10.15",
"_type" : "doc",
"_id" : "QEgFdWYBIOFrTQ7XwJCh",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2018-10-15T00:00:02.443Z",
"node_name" : "es-data1-642",
"node_host_name" : "10.244.4.148",
"node_host_address" : "10.244.4.148",
"layer" : "transport",
"event_type" : "access_granted",
"origin_type" : "rest",
"origin_address" : "10.244.4.149",
"action" : "indices:data/read/search",
"principal" : "elastic",
"realm" : "reserved",
"roles" : [
"superuser"
],
"indices" : [
"",
"-
"
],
"request" : "SearchRequest"
}
},

What do I miss?


(Rijin) #12

Try this in yml file:
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.prefix.emit_node_name: true
xpack.security.audit.logfile.prefix.emit_node_host_address: true
xpack.security.audit.logfile.prefix.emit_node_host_name: true
xpack.security.audit.index.settings:
index:
number_of_shards: 1
number_of_replicas: 1


#13

All this relates node&host, maybe you know paramete rsfor user aud?iintg


(Phani Krishna) #14

Hello ludaca,
I'm having the same issue but atleast couldn't able to see the "search" actions[ "action" : "indices:data/read/search" ].

The audit log index only shows me the actions from the principal "_xpack_security" and not from any other users. Could you pls let me know if there is something missing in my config files ?


(system) #15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.