How can I get a client ip of search request in ielasticsearch?

Hi guys:
I found a slow search request , but i didn't know the search request's client ip . Can I get a client ip of search request in elasticsearch?

In Elasticsearch, by default, client IP addresses are not stored as part of the document data. Elasticsearch focuses on indexing and searching the content of documents rather than tracking client IP addresses for search requests. However, you can enable and configure the audit logging feature in Elasticsearch to capture information about incoming requests, including client IP addresses.

Here are the general steps to enable audit logging in Elasticsearch:

  1. Edit elasticsearch.yml: Open the elasticsearch.yml configuration file and add or modify the following settings:
xpack.security.audit.enabled: true
xpack.security.audit.outputs:
  - logfile

Ensure that the xpack.security.enabled setting is also set to true if it's not already.
2. Restart Elasticsearch: After making changes to the configuration, restart Elasticsearch to apply the new settings.
3. Check the Audit Log: The audit log will now contain information about incoming requests, including client IP addresses. You can find the audit log in the Elasticsearch data directory under the logs subdirectory.

Keep in mind that enabling audit logging may have performance implications, and the logs can grow in size, so it's essential to configure log rotation and retention policies.

It's important to note that the specific steps and settings might vary depending on the Elasticsearch version and whether you have a basic or commercial license. Additionally, if you are using a security plugin like X-Pack, you may need to adjust settings accordingly.

thank you nextgen, i will try it!

This is only possible if you have Audit logging enabled, do you have a paid license? Audit logging is a paid feature.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.