The Elasticsearch audit logs have multiple log record (lines) for a single request.
Some of them have no index names, because they do not act on a specific index (or set of indices), other entries will specify exactly which indices were affected.
This Bulk request:
PUT /_bulk
{ "index": { "_id": 1 , "_index": "index-1" } }
{ "name": "doc 1-1" }
{ "index": { "_id": 2 , "_index": "index-2" }}
{ "name": "doc 2-2" }
Will generate this audit log
{"type":"audit", "timestamp":"2021-06-07T16:11:21,917+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:21,917+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:21,918+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,263+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,264+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/index:op_type/index", "request.name":"BulkItemRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,264+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,265+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,266+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/index:op_type/index", "request.name":"BulkItemRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,266+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,267+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,268+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,359+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
The bulk request itself doesn't have an index name because a bulk request doesn't target a single index, and isn't authorized based on index names (see below)
{
"type": "audit",
"timestamp": "2021-06-07T16:11:21,917+1000",
"node.id": "i1xZMYXlQgymz97Hgd8Omw",
"event.type": "transport",
"event.action": "access_granted",
"authentication.type": "REALM",
"user.name": "test",
"user.realm": "default_native",
"user.roles": [
"test"
],
"origin.type": "rest",
"origin.address": "[::1]:52142",
"request.id": "0_FVjLVMSxafjJccNfkO6A",
"action": "indices:data/write/bulk",
"request.name": "BulkRequest"
}
However the entries that actually write documents into the index have names, for example:
{
"type": "audit",
"timestamp": "2021-06-07T16:11:22,264+1000",
"node.id": "i1xZMYXlQgymz97Hgd8Omw",
"event.type": "transport",
"event.action": "access_granted",
"authentication.type": "REALM",
"user.name": "test",
"user.realm": "default_native",
"user.roles": [
"test"
],
"origin.type": "rest",
"origin.address": "[::1]:52142",
"request.id": "0_FVjLVMSxafjJccNfkO6A",
"action": "indices:data/write/index:op_type/index",
"request.name": "BulkItemRequest",
"indices": [
"index-2"
]
}
In Elasticsearch a bulk request is validated based on the individual items. You can send a bulk request that writes to 1 index successfully and then fails on another index (e.g. because it doesn't exist). Or it can write 1 document to an index, but then the 2nd document (e.g. because it already exists).
The same is true for security. It is possible to get an access_granted
event for a bulk request that has items that write to 2 different indices, one of which you have access to, and the other you don't.
Those items will succeed or fail indivdually.
So, it would be misleading to list the index names in the access_granted
event for that request. We didn't actually grant access to those indices, we just authorized this user to attempt to perform a bulk request - we might still record an access_denied
for the individual items .