We use ELK to push audit logs from one of our applications and we'd like to know if there is a way to know if any HUMAN user manually updated any documents in that specific index. We push logs from S3 bucket to a specific index using logstash s3 plugin and no one should manually update/delete the index documents. These audit logs are super important and should not be updated manually by anyone. (FYI: technically any admin in our team has access to root credentials so anyone can be a culprit )
If that is not possible maybe we there is a way to log all queries that are either deleting/updating documents in that specific index? if yes, what would I be looking for in the ES audit logs?
I looked at slow query logs and they are not very helpful as they don't show any usernames
Elasticsearch has strong RBAC... down to the index + document and field (for commercial subscription) so that is all you need to do
Index level RBAC is available with the Basic / Free Subscription.
Oh details....
So I just help secure a large scale production cluster... and some ways ... Writers get to write... Analysts / everyone else get to read
We created the publisher role / API for all automated ingesting ... so your logstash should only use the logstash_writer role... you can create a user or and API Key. Per Here
Then your users only get read privileges on the indices / documents... it can be as simple as that ... and very secure!
This RBAC is set at the cluster / index level... I am thinking I would start there.
The UI makes it pretty easy to define roles these days..
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.