DOCS Auditing search queries (#35301)

This documents how to include the search queries in the audit log.

There is a catch, that even if enabling `emit_request_body`, which should
output queries included in request bodies, search queries were not output
because, implicitly, no REST layer audit event type was included.

This folk knowledge is herein imprinted.
This commit is contained in:
Albert Zaharovits 2018-11-09 11:38:45 +02:00 committed by GitHub
parent 7054e289fa
commit 617f91bb0f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 57 additions and 1 deletions

View File

@ -0,0 +1,53 @@
[role="xpack"]
[testenv="gold+"]
[[auditing-search-queries]]
=== Auditing search queries
There is no <<audit-event-types, audit event type>> specifically
dedicated to search queries. Search queries are analyzed and then processed; the
processing triggers authorization actions that are audited.
However, the original raw query, as submitted by the client, is not accessible
downstream when authorization auditing occurs.
Search queries are contained inside HTTP request bodies, however, and some
audit events that are generated by the REST layer can be toggled to output
the request body to the audit log.
To make certain audit events include the request body, edit the following
settings in the `elasticsearch.yml` file:
* For the `logfile` audit output:
+
--
[source,yaml]
----------------------------
xpack.security.audit.logfile.events.emit_request_body: true
----------------------------
--
* For the `index` output:
+
--
[source,yaml]
----------------------------
xpack.security.audit.index.events.emit_request_body: true
----------------------------
--
IMPORTANT: No filtering is performed when auditing, so sensitive data might be
audited in plain text when audit events include the request body. Also, the
request body can contain malicious content that can break a parser consuming
the audit logs.
There are only a handful of <<audit-event-types, audit event types>> that are
generated in the REST layer and can access the request body. Most of them are not
included by default.
A good practical piece of advice is to add `authentication_success` to the event
types that are audited. Add it to the list in the
`xpack.security.audit.logfile.events.include` or
`xpack.security.audit.index.events.include` settings. This type is not audited
by default.
NOTE: Typically, the include list contains other event types as well, such as
`access_granted` or `access_denied`.

View File

@ -11,5 +11,8 @@ include::output-logfile.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/output-index.asciidoc
include::output-index.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc
include::auditing-search-queries.asciidoc[]
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc
include::forwarding-logs.asciidoc[]
include::forwarding-logs.asciidoc[]