Is there a way to monitor changes to roles and username / passwords for builtin or created users

Our Security team is looking for a way for them to use Carbon Black to monitor changes to users (add/ delete) , password changes for these adhoc users or built in users. we were looking for a file on disk. The only info I found on line is to create or change passwords not where they are stored so they can be monitored. I understand there is a secure index called .security ( in the database) but is this kept in a file? We cannot seem to find that file. with the other indicies.

The proper method would to be use audit logging.

Where Elasticsearch actually persists the security data is opaque to users... So that is not a good approach.

Data is stored in indices, which is stored in shards which are then made up of segments. Segments can change for a number of reasons...not related to data be written... So even if you knew the segment again that would not be a reliable approach..

we are already trapping the audit logs on the hosts to ELK stack. are you talking about that or something else.

Edited for clarity

Yes elasticsearch audit logs... There are some settings to make sure your auditing the events you want. But yeah elasticsearch audit logs that's the correct way

If I'm not wrong Stephen is mentioning the Audit Logs of Elasticsearch, which needs to be enabled and also needs a Paid License.

Those logs will have information about changed to built-in users for example.

1 Like

One more quick question – would that be on the master node and what would I be looking for in the Audit logs, what type strings?

~WRD000.jpg

Per the docs... Every node

When audit logging is enabled, security events are persisted to a dedicated _audit.json file on the host’s file system, on every cluster node. For more information, see Logfile audit output.

The events actually are categorized as event.actions ... The enumeration is here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.