Log kibana search activity

elk2 · May 19, 2020, 12:18pm

I would like to log all user searches .
Actually on kibana.stdout I see this logs:

[...]
{"_context":"elastic","user":{"usr":14,"com":1},"es_call":{"path":"/elasticsearch/test-net-*/_field_stats","request":["post","_field_stats","/test-net-*/_field_stats"],"indices":["test-net-*"]},"_remoteAddress":"192.168.0.65"}
{"type":"response","@timestamp":"2020-05-19T11:00:16+00:00","tags":[],"pid":8867,"method":"post","statusCode":200,"req":{"url":"/elasticsearch/test-net-*/_field_stats?level=indices","method":"post","headers":{"host":"192.168.0.82:9898","connection":"keep-alive","content-length":"178","accept":"application/json, text/plain, */*","kbn-version":"4.4.1","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36","content-type":"application/json;charset=UTF-8","origin":"https://192.168.0.82:9898","test-fetch-site":"same-origin","test-fetch-mode":"cors","test-fetch-dest":"empty","referer":"https://192.168.0.82:9898/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7","cookie":"ng-session=1587713673862; ng-bearer=Fe26.2**aab0b3a44a54f630c6aee928500f0a6ab3fe2b22205cc308cf92dd1239551582*Wi1kI2hwAbyRbYZBkB6Ymg*UewZ7C3yz8KLVy0iAd_WiNntk3hHzN8ljVjSpqeKXNQGSKifg0uH2yeZipFUT0Fu1S9Jp_v95fcahEJzeYIKiqvYeqGMHu3WO0P28T72BVy1gmouutM5OpT7If9vFk-VmW45I4OdQTDarB6gKPoF9w**0506dc8c53a4fa2abc5299a5fec3aa05649a17d9c0b9ebf56acce0482ee31f51*MwTraQuJEknQQfqfUT4KYEXFfq8WSqv2G7ofjzbv_Bc"},"remoteAddress":"192.168.0.65","userAgent":"192.168.0.65","referer":"https://192.168.0.82:9898/app/kibana"},"res":{"statusCode":200,"responseTime":34,"contentLength":9},"message":"POST /elasticsearch/test-net-*/_field_stats?level=indices 200 34ms - 9.0B"}
{"type":"log","@timestamp":"2020-05-19T11:00:17+00:00","tags":["audit","info"],"pid":8867,"message":"{\"_context\":\"elastic\",\"user\":{\"usr\":14,\"com\":1},\"es_call\":{\"path\":\"/elasticsearch/_msearch\",\"request\":[\"post\",\"_msearch\",\"/_msearch\"],\"indices\":[]},\"_remoteAddress\":\"192.168.0.65\"}"
[...]

I know user and remote ip address from log but I can't see the entire query search that I would like to have into kibana.stdout

willemdh · May 19, 2020, 7:39pm

@elk2 Afak, you need auditing to get the search request.. And 'standard' auditing isn't even enough. xpack.security.audit.logfile.events.emit_request_body need to be seto to true. Expect huuge amounts of audit logs... (also, you need gold or higher license I think). See https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html

system · June 16, 2020, 7:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.