Getting incomplete request body in Elasticsearch audit log

ashishshukla · January 8, 2024, 6:39am

I have executed few security APIs , for those I am getting incomplete request body in Elasticsearch Audit log. Below are the example:

Query 1:

POST /_security/oauth2/token
{
"grant_type": "refresh_token",
"refresh_token": "vLBPvmAB6KvwvJZr27cS"
}

Audit Log:
{"type":"audit", "timestamp":"2023-12-29T10:48:51,458+0530", "cluster.uuid":"N4A0f0IaSEmDKajj14TcPw", "node.name":"node-1", "Home | NODE.ID ":"IiljWrd3Tv2IghTMopvNaA", "host.name":"DESKTOP-S1VTHGS", "host.ip":"9.43.27.251", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"192.168.29.126:51704", "realm":"reserved", "url.path":"/_security/oauth2/token", "request.method":"POST", "request.body":"{"grant_type":"refresh_token"}", "request.id":"OjNA0oFQQUyxnNm7RAJsjA"}

Concern-
( Here we can see in above audit log "refresh_token": "vLBPvmAB6KvwvJZr27cS" this value is not getting in request body )

Query 2:

POST /_security/oauth2/token
{
"grant_type" : "password",
"username" : "test_admin",
"password" : "x-pack-test-password"
}

Audit Log:
{"type":"audit", "timestamp":"2023-12-29T10:48:27,620+0530", "cluster.uuid":"N4A0f0IaSEmDKajj14TcPw", "node.name":"node-1", "Home | NODE.ID ":"IiljWrd3Tv2IghTMopvNaA", "host.name":"DESKTOP-S1VTHGS", "host.ip":"9.43.27.251", "event.type":"rest", "event.action":"authentication_success", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "origin.type":"rest", "origin.address":"192.168.29.126:51704", "realm":"reserved", "url.path":"/_security/oauth2/token", "request.method":"POST", "request.body":"{"grant_type":"password","username":"test_admin"}", "request.id":"wSTPJrfVQzGP_oBIxuXOcA"}

Concern-
( Here we can see in above audit log "password" : "x-pack-test-password" this value is not getting in request body )

Please suggest for the above concerns is there anyone we can see complete request body(including confidential data like "password" and "token" etc..) in audit log for above security APIs

DavidTurner · January 8, 2024, 8:10am

It is by design that sensitive data is not recorded in the audit log. There shouldn't be a good reason to log these things.

ashishshukla · January 8, 2024, 8:41am

thanks for update

system · February 5, 2024, 8:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audit logging - Is it possible to include request_body to event type access_granted? Elasticsearch elastic-stack-security	2	814	July 6, 2017
Issues with Audit Log Elasticsearch	8	1233	January 4, 2018
Nothing in the error logs for RBAC Elasticsearch	5	403	March 11, 2020
Elasticsearch 8.9.2 and 7.17.13 Security Update Security Announcements	0	12014	September 6, 2023
Heartbeat url monitor Beats heartbeat	2	336	December 14, 2020

Getting incomplete request body in Elasticsearch audit log

Related topics