2018-11-09 04:38:45 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[testenv="gold+"]
|
|
|
|
[[auditing-search-queries]]
|
|
|
|
=== Auditing search queries
|
|
|
|
|
|
|
|
There is no <<audit-event-types, audit event type>> specifically
|
|
|
|
dedicated to search queries. Search queries are analyzed and then processed; the
|
|
|
|
processing triggers authorization actions that are audited.
|
|
|
|
However, the original raw query, as submitted by the client, is not accessible
|
|
|
|
downstream when authorization auditing occurs.
|
|
|
|
|
|
|
|
Search queries are contained inside HTTP request bodies, however, and some
|
|
|
|
audit events that are generated by the REST layer can be toggled to output
|
|
|
|
the request body to the audit log.
|
|
|
|
|
2019-01-24 05:36:10 -05:00
|
|
|
To make certain audit events include the request body, edit the following
|
|
|
|
setting in the `elasticsearch.yml` file:
|
2018-11-09 04:38:45 -05:00
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.logfile.events.emit_request_body: true
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
IMPORTANT: No filtering is performed when auditing, so sensitive data might be
|
|
|
|
audited in plain text when audit events include the request body. Also, the
|
|
|
|
request body can contain malicious content that can break a parser consuming
|
|
|
|
the audit logs.
|
|
|
|
|
|
|
|
There are only a handful of <<audit-event-types, audit event types>> that are
|
|
|
|
generated in the REST layer and can access the request body. Most of them are not
|
|
|
|
included by default.
|
|
|
|
|
|
|
|
A good practical piece of advice is to add `authentication_success` to the event
|
2019-01-24 05:36:10 -05:00
|
|
|
types that are audited (add it to the list in the `xpack.security.audit.logfile.events.include`),
|
|
|
|
as this event type is not audited by default.
|
2018-11-09 04:38:45 -05:00
|
|
|
|
|
|
|
NOTE: Typically, the include list contains other event types as well, such as
|
|
|
|
`access_granted` or `access_denied`.
|