I am using Kibana 4.6.0 and Shield 2.4.0 and am attempting to log the user performing the search and his/her specific query. ES version is 2.4.0.
I can't seem to get the Shield auditing to capture the user's actual search term. Looks like it just records that user (dude04) accessed an index (panama).
Please see table 14 here: https://www.elastic.co/guide/en/shield/current/configuring-auditing.html#log-entry-attributes
This is me searching for ‘dinaosaur’ with the shield logging set to DEBUG
[root@es-server logs]# tail -f /data/elastic/panama-test/logs/elasticsearch-access.log
[2016-09-08 13:17:30,502] [es-server] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[dude04], action=[indices:data/read/msearch], request=[MultiSearchRequest]
[2016-09-08 13:17:30,526] [es-server] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[dude04], action=[indices:data/read/search], indices=[panama], request=[SearchRequest]
[2016-09-08 13:17:30,553] [es-server] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[dude04], action=[indices:data/read/search[phase/query]], indices=[panama], request=[ShardSearchTransportRequest]
Kibana logging also does NOT capture the user request. Below is the kibana log set to verbose mode while performing the same search (dinosaur):
[root@es-server logs]# tail -f /var/log/kibana.log
{"type":"response","@timestamp":"2016-09-08T03:27:08Z","tags":[],"pid":18583,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1473300425055","method":"post","headers":{"host":"es-server.test.test.com","connection":"keep-alive","content-length":"826","accept":"application/json, text/plain, */*","origin":"http://es-server.test.test.com","kbn-version":"4.6.0","user-agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.82 Safari/537.36","content-type":"application/json;charset=UTF-8","referer":"http://es-server.test.test.com/app/kibana","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.8"},"remoteAddress":"192.168.7.38","userAgent":"192.168.7.38","referer":"http://es-server.test.test.com/app/kibana"},"res":{"statusCode":200,"responseTime":154,"contentLength":9},"message":"POST /elasticsearch/_msearch?timeout=0&ignore_unavailable=true&preference=1473300425055 200 154ms - 9.0B"}
...again there is no query and also no user (not really a huge surprise as the user is identified further down the line at Shield and the query is a POST I think whereas this log is the GET).
So after some research online and others asking a similar question seems like I need to ‘trick’ the elastic slow logging to treat anything 0ms or greater as a ‘slow’ and use these logs to achieve the 'query logging' ....:
[2016-09-08 13:31:32,118][WARN ][index.search.slowlog.query] [es-server] [panama][2] took[16.6ms], took_millis[16], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[5], source[{"size":500,"sort":[{"parsed.@timestamp":{"order":"desc","unmapped_type":"boolean"}}],"highlight":{"pre_tags":["@kibana-highlighted-field@"],"post_tags":["@/kibana-highlighted-field@"],"fields":{"*":{}},"require_field_match":false,"fragment_size":2147483647},"query":{"filtered":{"query":{"query_string":{"query":"dinosaur","analyze_wildcard":true}},"filter":{"bool":{"must":[{"range":{"parsed.@timestamp":{"gte":1315452691896,"lte":1473305491896,"format":"epoch_millis"}}}],"must_not":[]}}}},"aggs":{"2":{"date_histogram":{"field":"parsed.@timestamp","interval":"1M","time_zone":"Australia/Sydney","min_doc_count":0,"extended_bounds":{"min":1315452691896,"max":1473305491896}}}},"fields":["*","_source"],"script_fields":{},"fielddata_fields":["parsed.@timestamp","@timestamp"]}], extra_source[],
OK so we're half way there now.. a log which actually has the query terms. But, unfortunately doesn't have the user.
Is the user and query logging possible with either Shield, Kibana or ES?