Logging all queries to the cluster

AvivCohn · October 24, 2018, 1:59pm

Hello everyone,

In our organization we have a major use case of identifying who is querying the cluster, and how.
This is because we often have problems with clusters that often turn out to result from a user sending a really heavy query to the cluster, hurting the performance of the cluster.

Are there recommended methods of logging all queries to the cluster, including the IP that they were issued from?

Thank you

warkolm · October 25, 2018, 3:33am

I'm not sure we have a recommended path, but you could use Packetbeat to do it.

AvivCohn · October 27, 2018, 5:56pm

Hey warkolm, thank you for the reply.

Apart from using PacketBeat and FileBeat, is there some product in XPack which does this? In particular, does Security log somewhere all queries issued to the cluster? Or is the Audit logging feature just for logging authentocation attempts without the actual queries issued?

nugusbayevkk · October 27, 2018, 9:24pm

hi @AvivCohn , as an option you can try use some proxy before elasticsearch and there implement logging of input queries
p.s. I haven't tried myself

warkolm · October 28, 2018, 7:57am

X-Pack can do selective logging, yes. At this stage though it's a little more high level.

system · November 25, 2018, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logging for each query requested in elasticsearch cluster Elasticsearch	2	396	June 2, 2017
Monitoring query sent to Elasticsearch Elasticsearch	5	400	December 5, 2019
Elasticsearch Query Monitoring Elasticsearch	4	354	May 9, 2019
Logging Queries in Elasticsearch 7.x Elasticsearch elastic-stack-monitoring , elastic-stack-security	2	548	November 8, 2020
Elasticsearch monitor Esearch query sent to Elasticsearch cluster Elasticsearch	1	403	December 25, 2017

Logging all queries to the cluster

Related topics