Logging all queries to the cluster

Hello everyone,

In our organization we have a major use case of identifying who is querying the cluster, and how.
This is because we often have problems with clusters that often turn out to result from a user sending a really heavy query to the cluster, hurting the performance of the cluster.

Are there recommended methods of logging all queries to the cluster, including the IP that they were issued from?

Thank you

I'm not sure we have a recommended path, but you could use Packetbeat to do it.

Hey warkolm, thank you for the reply.

Apart from using PacketBeat and FileBeat, is there some product in XPack which does this? In particular, does Security log somewhere all queries issued to the cluster? Or is the Audit logging feature just for logging authentocation attempts without the actual queries issued?

hi @AvivCohn , as an option you can try use some proxy before elasticsearch and there implement logging of input queries
p.s. I haven't tried myself

X-Pack can do selective logging, yes. At this stage though it's a little more high level.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.