Issues with Audit Log

admlko · November 20, 2017, 6:14am

Hi,

I was reading about some problems with auditing already in spring and was hoping that it would be fixed by now, but no cigar.

Because we are running Elastic stack as a log management / SIEM system, it is extremely important to secure it properly.
In order to keep an eye on the cluster, I need to be able to get proper audit logs (who is accessing, when, from where and what was requested etc.)

I am able to enable the audit log, log it into a file and transport the audit index to remote cluster over SSL.
But there are two issues I would like someone to address:

xpack.security.audit.logfile.events.emit_request_body option is really not working, right?
I cannot see the request made, only what type of request it was, and that is really not helping.
The audit log is flooded by cluster maintenace messages and such. Is there a guide how to ignore these messages form ever getting into the audit log, or what would you guys suggest?

These issues have been presented at least in this blog, which is in google’s top results: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/

My cluster is running Elastic stack 5.6.4.

PS. Enabling SSL secured remote audit indexing was a bit confusing. More documentation about it would be nice. At first I didn't understood that I have to explicitly enable SSL also for the indexing client setting.

Thank you.

admlko · November 24, 2017, 9:43am

No comments, really?

admlko · November 29, 2017, 6:16am

I am going to bump this as long as needed in order to get an official response. I paid for platinum license and expect things to work as documented, or at least get support if not.

warkolm · November 29, 2017, 6:19am

If you have a license then you should use the Support Portal to talk to your Support Engineer.

admlko · November 29, 2017, 8:31am

I have a license but I didn't opt in for dedicated support engineer and was told to use the forum.

You know, I would understand that I have to pay extra for new features or get SLA support or something to add value to the product, but if things don't work as they should according to documentation, then I don't really understand the radio silence from your part. Especially as this is not a new thing, I'm sure you are aware of this by now.

Sorry if I am being too direct, but this feature was the main selling point when I decided to purchase the X-Pack.

dadoonet · November 29, 2017, 9:02am

Could you DM me and @warkolm your actual name and email address please? I'd like to check what kind of license/support contract you have.

I wonder if you are using elastic Cloud?

admlko · November 29, 2017, 9:24am

Thank you for your reply.
I am not using Elastic Cloud and I will DM you my information.

admlko · December 7, 2017, 12:27pm

Another thing regarding this, how is the delete action for index logged?
I just deleted one index, but I do not see any record of it in the audit log. Neither in index or log file.

Thanks

system · January 4, 2018, 12:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.