Security audits using elasticsearch

Raj_Kumar · July 6, 2017, 12:47pm

Can i use elasticsearch for security audits? For example I have 10 users accessing confidential datas everyday and I log this and index to elasticsearch. Will be be able to do random audits on these users,for example 2 different users and 2 different dates for every month. I was trying random score and function score

{
  "function_score": {
    "functions": [
      {
        "random_score": {}
      }
    ],
    "query": {
      "match_all": {}
    }
  }
}

but am not sure how to execute my needs.Please anyone have some idea please do let me know.

Thanks,

Raj

JKhondhu · July 6, 2017, 1:17pm

Hi,

Within X-Pack Security we have the following: https://www.elastic.co/guide/en/x-pack/current/auditing.html

If interested give the trial a go, https://www.elastic.co/guide/en/x-pack/current/license-management.html

Raj_Kumar · July 6, 2017, 1:28pm

Hi Jymit,

Thank you for the reply ,this not the audit for seeing who is accessing the elasticsearch cluster,its external data (which has info already who access it and which record he has accessed it ) ,I ingest that data into elasticsearch.

For examples, "Axcse" user accessed this record "aaaa" ,like this I have many documents different users accessing different records,and each logs I have it in json documents in elasticsearch ,so every month, I want to perform a audit on a random users and random dates.

Thanks,
Raj

Raj_Kumar · July 13, 2017, 10:45am

Please any one help me

JKhondhu · July 14, 2017, 1:39pm

Hi,

From a security POV, what are you looking to achieve here? Why the random user and random dates?

Raj_Kumar · July 14, 2017, 1:57pm

Hi,
Thank you for the reply,

We receive logs from IBM cics to elasticsearch which has all the transaction info and personal numbers which are highly confidential datas and these confidential datas are viewed by certain users (authorised users) ,so we have to perform security audits on these users randomly on different dates every month ,since its not practically possible to see all the logs and why they have accessed those records,so thats why we want to audit two random users and two different dates ,all the logs whatever they accessed on that particular random dates.

Thanks in advance,
Raj

system · August 11, 2017, 1:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.