There's no complete solution, for what you're describing, inside the elastic stack at the moment.
We are however actively working on it.
The approach we are taking is to use the logfile output for ES auditing, use Filebeat to ship them to an ES index and have templates and dashboards in Kibana for that.
Right now, there is no perfect solution "that just works" like monitoring, you have to put these pieces together yourself if you need it now.
Hi,
I'm installed x-pack trial and checking it's functionality especially for audit events.
I'd like to "record" in .security_audit_log queries performed by kibana users. Now I see in log
only record with request title, for exmaple:
request=[ShardSearchTransportRequest]
If a particular index was searched, how to see exactly what is the search pattern and other details?
Are there other setting in
l
aticsearch.yml?se
The xpack.security.audit.logfile.events.emit_request_body (or xpack.security.audit.index.events.emit_request_body) is the setting you're looking for.
More about them here.
I'm searching created .security_audit_log and can't find the kibana authenticated user name and request performed by this user. Is it possible at all? or only elastic user can be audited?
Hello ludaca,
I'm having the same issue but atleast couldn't able to see the "search" actions[ "action" : "indices:data/read/search" ].
The audit log index only shows me the actions from the principal "_xpack_security" and not from any other users. Could you pls let me know if there is something missing in my config files ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.