Does Elasticsearch capture audit logs for Query DSL, EQL and SQL or Not?

Subrato1 · July 27, 2023, 8:07am

Does Elasticsearch capture audit logs for Query DSL, EQL and SQL or Not???

dadoonet · July 27, 2023, 8:59am

No. The list of events which could be captured by the audit logs is here: Audit events | Elasticsearch Guide [8.9] | Elastic

But you can use slow logs for this: Slow Log | Elasticsearch Guide [8.9] | Elastic. I think that using 0 as the threshold will log everything. But be careful as it will be very verbose.

Subrato1 · July 27, 2023, 9:21am

I executed the POST query from REST API, and I am getting this Log (For WINDOWS) using Latest Version or Elasticsearch:

{"type":"audit", "timestamp":"2023-07-27T12:25:06,662+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.1.5", "host.ip":"192.168.1.5", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:64848", "realm":"reserved", "url.path":"/ashish_hcl/_doc/1", "request.method":"POST", "request.body":" {\r\n "firstname": "Subhash",\r\n "lastname": "Chandra"\r\n}", "request.id":"qGhK_WaNTiyI_GwR1N8xQQ"}

But when I am using Elasticsearch 7.15.2 version in Red Hat Linux then I am not able to Get the audit logs.

dadoonet · July 27, 2023, 9:33am

How did you change the log level on the RedHat machine?

Subrato1 · July 27, 2023, 9:36am

I did not change the log level by default it's INFO there. Configuration for both Windows and Red Hat machine is same only Difference is in Windows I am using latest version of Elasticsearch and in Red Hat I am using 7.15.2 version.

dadoonet · July 27, 2023, 9:48am

I don't know.
I'd in any case upgrade the RedHat machine to benefit from all the security patches at least.

Did you activate the trial on the RedHat cluster?
What are your elasticsearch.yml settings in the RedHat cluster?

And anyway, this is not related to the original question, right?

Does Elasticsearch capture audit logs for Query DSL, EQL and SQL or Not???

The trace you shown:

{"type":"audit", "timestamp":"2023-07-27T12:25:06,662+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.1.5", "host.ip":"192.168.1.5", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:64848", "realm":"reserved", "url.path":"/ashish_hcl/_doc/1", "request.method":"POST", "request.body":" {\r\n "firstname": "Subhash",\r\n "lastname": "Chandra"\r\n}", "request.id":"qGhK_WaNTiyI_GwR1N8xQQ"}

Is an authentication one: "event.action":"authentication_success". So not sure how this is all related and what you are trying to do.

Subrato1 · July 27, 2023, 10:05am

Yes, I activated the Trail License already.

Actually, I am executing queries DSL, EQL and SQL and I want audit logs for the queries which I perform.

Suppose I am using POST to create something in cluster:

POST demo/_doc/2
{
"title":"Project2"
}

And I am able to see the audit logs for this.

After this, I am executing this query:
GET demo/_search

But did not get audit log for above query.

My question is that Should we get SQL, EQL and Query DSL queries also or not?

dadoonet · July 27, 2023, 10:08am

Could you share the audit logs you got for this call?

dadoonet · July 27, 2023, 10:25am

@ashishshukla wrote:

Please find the below event log

{"type":"audit", "timestamp":"2023-07-27T15:40:31,728+0530", "cluster.uuid":"PdxPNKJfRUOh-nJVi4R9jw", "node.name":"node-1", "node.id":"8vfClNdqTQKpxsWQ9jZFsQ", "host.name":"192.168.251.17", "host.ip":"192.168.251.17", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"[::1]:52490", "realm":"reserved", "url.path":"/shukla_test/_doc/2", "request.method":"POST", "request.body":" {\r\n "firstname": "Krishna",\r\n "lastname": "kumar"\r\n}", "request.id":"qaaUAg8sQKedKKrkcia4Xw"}

About this request:

POST /shukla_test/_doc/2
{
  "firstname": "Krishna",
  "lastname": "kumar"
}

dadoonet · July 27, 2023, 10:26am

Note for @ashishshukla and @Subrato1

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.

dadoonet · July 27, 2023, 10:27am

As you can see in the logs, the event logged is a authentication_success. It's not a trace of the execution of the _search.

Subrato1 · July 27, 2023, 10:40am

Thanks For your Suggestion, I am able to understand.

Can you please tell me how to execute the SQL and EQL queries for Elasticsearch??

dadoonet · July 27, 2023, 12:43pm

Please open a new discussion as this one is solved I believe.

system · August 24, 2023, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.