Print User Information within Query Log Statements (Log4j2)

(Benjamin Hadinger) #1

I am wondering if there is a way to log what user ran a query statement to elasticsearch. Right now I have it set up such that slowlog prints everything, just so I see what is happening, but I do not necessarily know who is querying elasticsearch.

I am slowly learning more about elasticsearch, and I am using it for a personal project just to learn more about it. I do not have x-pack, but still want to figure out more about the logging process. I did not see an elasticsearch parameter to add user information to the log statements.

I have v. 6.4.3, and have been reading more into how log4j2 is being used with the logging process, and saw that log4j2 had a ThreadContext class that one can put string keys and values into and use them in things like the .properties file.

In the patternLayout (int, if I add either: $${ctx:login} or %X{login}, it will retrieve the current value set to the String "login" as put there by the ThreadContext. But I dont necessarily know whether or not this works with elastic search. Say I put a key-value pair into the log4j2 ThreadContext in my personal project code (that eventually queries elasticsearch), and have the $${ctx:} or similar in the for elasticsearch, will the value I put be read correctly?

ex: (in my personal code)
ThreadContext.put("method","getCount"); //log4j2 ThreadContext
[execute elasticsearch query]

Will the $${ctx:method} value that is printed in the elasticsearch log (because of the change to the patternLayout in be "getCount"? even though it is not in elasticsearch directly?
If not, I also see that Elasticsearch has a ThreadContext class that one can add "Headers" to. If my prior example doesnt work, is it possible for the user of elasticsearch to add to this ThreadContext?

(Mark Walkom) #2

If you don't have Security enabled then there's no way for Elasticsearch to capture user information, because it doesn't need to send auth details.

(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.