ES version: 7.3.2
X-pack: Platinum
We have OpenID based user authentication in Elasticsearch.
We need to check the activity done by users after they sign-in, especially the activity which involves running queries on Dev tools in Kibana.
The current audit logs do not show these details which we configured with the following configuration:
xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.emit_request_body: true
We are getting logs like below with not granular level of details as required.
{"@timestamp":"2020-02-14T01:35:46,471", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"a0R5c5mZSI6M8cowuSAGDg", "action":"indices:data/read/scroll/clear", "request.name":"ClearScrollRequest"}
{"@timestamp":"2020-02-14T01:35:46,471", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"a0R5c5mZSI6M8cowuSAGDg", "action":"indices:data/read/search[free_context/scroll]", "request.name":"ScrollFreeContextRequest"}
{"@timestamp":"2020-02-14T01:35:56,475", "node.id":"Hw0yZ8sgR7wiTNI3tDt5Gg", "event.type":"transport", "event.action":"access_granted", "user.name":"_xpack_security", "user.realm":"__attach", "user.roles":["superuser"], "origin.type":"local_node", "origin.address":"ip.address:9300", "request.id":"H-fdWUC1Snidy7vPtA2oGA", "action":"indices:data/read/msearch", "request.name":"MultiSearchRequest"}
Is there any way we can get user email-id or user name at least under these logs? Is this a limitation from Elasticsearch?