Detecting deletes

Hello,

I was hoping to find a way to detect deletion of documents in our Elasticsearch audit logs. But I cannot find any reference or event related to me testing deletion of docs with for example:

DELETE av-002-2020.10/_doc/e6hh8HQBlvZ7gcHFnQNW

I'd prefer not having to set:

xpack.security.audit.logfile.events.emit_request_body: true

As I tried that in the past and our PR cluster exploded..

So can someone confirm that there is no way to detect deletion of documents without setting emit_request_body?

Grtz

Willem

What version of Elasticsearch?

Depending on how your auditing is setup you should be able to see something like (re-formated for clarity)

{
  "@timestamp": "2020-11-17T12:08:43,853",
  "node.name": "42Qe0Al",
  "node.id": "42Qe0AlWQl-yBE5hBTMkIg",
  "event.type": "transport",
  "event.action": "access_granted",
  "user.name": "elastic",
  "user.realm": "reserved",
  "user.roles": [ "superuser" ],
  "origin.type": "rest",
  "origin.address": "[::1]:57348",
  "request.id": "19QFv00PTx2iEySjELRgHA",
  "action": "indices:data/write/delete",
  "request.name": "DeleteRequest",
  "indices": [ "index" ]
}

Thanks for your answer @TimV

We are on 7.9.2 currently. We have a seperate monitoring cluster and Logstash node where our audit logs are indexed by a secondary Filebeat instance on each Elastic node. The audit logs are filtered in the Logstash node which drops events allowed done by system accounts. Thanks for confirming we should see "indices:data/write/delete". I'll have another look at some of the components to see why our deletes are not indexed.

Grtz

Willem

@TimV Aha, I found a configuration error in some of our filebeat2.yml's, seems they are trying to index pr audit logs on qa nodes (probably copied from a pr to a qa node without changing the path).

After correcting the situation I was able to the find delete requests. :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.