Does ECE have user audit trail

Hello, I am experimenting with ECE and I trying to see if the admin console stores a audit trail of user actions. I can see the activity field but there is no user attribute.

What I am looking for is something like "User A performed cluster restart on deployment " so we can work out which user did which action.

Secondly is there a way I can export this data?

The adminconsole has a log file called something_audit.log in <root-dir>/<runnerid>/services/adminconsole/logs ... that should get exported to the logging and metrics cluster (in index services-adminconsole I think, the source field selects the file) and should have the user field populated.

It can be exported as per usual from an ES/Kibana stack

Alex

I can see in the service-logs-* filebeat sending data from adminconsole.log but that give me just the http requests with the username in the message. I was hoping for more granualar audit log where I can do a search user:"username" and see all changes that user has done. The requests does not give me enough data to workout what that user has done. The requirement I need to solve is to prove that a user had done something maclicous. E.g Delete a cluster they should not have.

Can you really not see files with *audit*.log type patterns? Either in the disk location I specified or (preferably) in the L+M cluster? (double check: is this a recent-ish version of ECE? Shouldn't be a factor since we've been using them internally in our cloud platform since something like 1.1)

Hello,
I'm having similar issues in on-premise clusters with subscription. Unless xpack.security.audit.logfile.events.emit_request_body is set to true, auditing is not granular enough. Also when xpack.security.audit.logfile.events.emit_request_body is enabled, audit logs explode..
We have a need to audit who creates users, who gives which cluster privileges to who and other mostly user and roles related audit logs. Elastic should really consider a way to partially increase auditing verbosity and a filter for certain components..
Grtz
Willem

In the console UI I can see the activity is listed with the username. But I can not find this information in the admin-console-elasticsearch doing a search for my username. Where is that data stored or is there a ece Api call I can do to get the full audit trail?

The full API audit log should be in the logging and metrics cluster (or on disk), not the admin-console-elasticsearch cluster

An API that provides just metadata about plan configuration changes (but not delete etc) is available via the activity API (https://www.elastic.co/guide/en/cloud-enterprise/current/Clusters_-_Elasticsearch_-_CRUD_-_Configuration.html#get-es-cluster-plan-activity). There is no ECE specific API for the full audit logs, just the ES API vs the L+M cluster.

@willemdh this is a slightly different topic - here we're talking about audit the API commands that control the (ECE) infrastructure that runs ES, not ES itself. Both ES (and ES auditing in ECE) are definitely areas that require more work (and work is ongoing on various aspects of them)

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.