How to log users trying to preform actions they arent allowed to preform

I have configured a 7.3.2 single node cluster with RBAC, the user testeruser only has permissions to read indices. If testuser tries to preform an action via an API call to check the cluster health it returns a 403 but I cannot find this event happening in any of the logs (example of what I am doing below). Is there anything else I need to configure Elasticsearch to log these kind of events?

I have the below two lines the elasticsearch.yaml file

xpack.security.enabled: true
xpack.security.audit.enabled: true 

I also applied these settings via dev tools

PUT /_cluster/settings
{
  "persistent": {
    "xpack.security.audit.logfile.events.include": [
        "run_as_granted",
        "anonymous_access_denied",
        "access_denied",
        "authentication_failed",
        "connection_denied",
        "tampered_request",
        "run_as_denied",
        "run_as_granted"
        ]
    }
}

API call that is returning a 403

curl -s -XGET -u testuser:Password "http://192.168.0.63:9200/_cluster/health" |jq .
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "action [cluster:monitor/health] is unauthorized for user [testuser]"
      }
    ],
    "type": "security_exception",
    "reason": "action [cluster:monitor/health] is unauthorized for user [testuser]"
  },
  "status": 403
}

We are only running the basic license so we don't have audit logging

This is exactly what audit logging is for so I am not aware of any workaround apart from possibly intercepting the traffic through a reverse proxy if you are using HTTP(S).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.