I'm trying to debug a winlogbeat ingest, I'm seeing data/write/bulk events for the host and user in the audit logs, but it doesn't show the target index name. That seems like a useful audit item.
I'm trying to get winlogbeat to setup the new style index template, create a template and start writing a new index. So far, I can't find any of these things in the stack, just audit events.
Thanks
The Elasticsearch audit logs have multiple log record (lines) for a single request.
Some of them have no index names, because they do not act on a specific index (or set of indices), other entries will specify exactly which indices were affected.
This Bulk request:
PUT /_bulk
{ "index": { "_id": 1 , "_index": "index-1" } }
{ "name": "doc 1-1" }
{ "index": { "_id": 2 , "_index": "index-2" }}
{ "name": "doc 2-2" }
Will generate this audit log
{"type":"audit", "timestamp":"2021-06-07T16:11:21,917+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk", "request.name":"BulkRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:21,917+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:21,918+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/auto_create", "request.name":"CreateIndexRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,263+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,264+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/index:op_type/index", "request.name":"BulkItemRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,264+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":["index-2"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,265+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s]", "request.name":"BulkShardRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,266+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/index:op_type/index", "request.name":"BulkItemRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,266+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:data/write/bulk[s][p]", "request.name":"BulkShardRequest", "indices":["index-1"]}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,267+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,268+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
{"type":"audit", "timestamp":"2021-06-07T16:11:22,359+1000", "node.id":"i1xZMYXlQgymz97Hgd8Omw", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"test", "user.realm":"default_native", "user.roles":["test"], "origin.type":"rest", "origin.address":"[::1]:52142", "request.id":"0_FVjLVMSxafjJccNfkO6A", "action":"indices:admin/mapping/auto_put", "request.name":"PutMappingRequest"}
The bulk request itself doesn't have an index name because a bulk request doesn't target a single index, and isn't authorized based on index names (see below)
{
"type": "audit",
"timestamp": "2021-06-07T16:11:21,917+1000",
"node.id": "i1xZMYXlQgymz97Hgd8Omw",
"event.type": "transport",
"event.action": "access_granted",
"authentication.type": "REALM",
"user.name": "test",
"user.realm": "default_native",
"user.roles": [
"test"
],
"origin.type": "rest",
"origin.address": "[::1]:52142",
"request.id": "0_FVjLVMSxafjJccNfkO6A",
"action": "indices:data/write/bulk",
"request.name": "BulkRequest"
}
However the entries that actually write documents into the index have names, for example:
{
"type": "audit",
"timestamp": "2021-06-07T16:11:22,264+1000",
"node.id": "i1xZMYXlQgymz97Hgd8Omw",
"event.type": "transport",
"event.action": "access_granted",
"authentication.type": "REALM",
"user.name": "test",
"user.realm": "default_native",
"user.roles": [
"test"
],
"origin.type": "rest",
"origin.address": "[::1]:52142",
"request.id": "0_FVjLVMSxafjJccNfkO6A",
"action": "indices:data/write/index:op_type/index",
"request.name": "BulkItemRequest",
"indices": [
"index-2"
]
}
In Elasticsearch a bulk request is validated based on the individual items. You can send a bulk request that writes to 1 index successfully and then fails on another index (e.g. because it doesn't exist). Or it can write 1 document to an index, but then the 2nd document (e.g. because it already exists).
The same is true for security. It is possible to get an access_granted event for a bulk request that has items that write to 2 different indices, one of which you have access to, and the other you don't.
Those items will succeed or fail indivdually.
So, it would be misleading to list the index names in the access_granted event for that request. We didn't actually grant access to those indices, we just authorized this user to attempt to perform a bulk request - we might still record an access_denied for the individual items .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.