Elasticsearch Version: 7.16.1
ECK version: 1.6.1
We use ELK to push audit logs from one of our applications and we'd like to know if there is a way to know if any HUMAN user manually updated any documents in that specific index. We push logs from S3 bucket to a specific index using logstash s3 plugin and no one should manually update/delete the index documents. These audit logs are super important and should not be updated manually by anyone. (FYI: technically any admin in our team has access to root credentials so anyone can be a culprit )
If that is not possible maybe we there is a way to log all queries that are either deleting/updating documents in that specific index? if yes, what would I be looking for in the ES audit logs?
- I looked at slow query logs and they are not very helpful as they don't show any usernames
- I don't have much knowledge on audit logs
Elasticsearch has strong RBAC... down to the index + document and field (for commercial subscription) so that is all you need to do
Index level RBAC is available with the Basic / Free Subscription.
So I just help secure a large scale production cluster... and some ways ... Writers get to write... Analysts / everyone else get to read
We created the publisher role / API for all automated ingesting ... so your logstash should only use the
logstash_writer role... you can create a user or and API Key. Per Here
Then your users only get read privileges on the indices / documents... it can be as simple as that ... and very secure!
This RBAC is set at the cluster / index level... I am thinking I would start there.
The UI makes it pretty easy to define roles these days..
I guess what you want here is a "true append-only" index which it is not possible today.
log all queries that are either deleting/updating documents in that specific index?
This is doable with audit logs. I suggested you follow our documentation Enable audit logging | Elasticsearch Guide [8.3] | Elastic
Please do note that the audit logging feature is platinum licensed.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.