honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-09 22:45:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc
Albert Zaharovits b6936e3c1e
Remove index audit output type (#37707) 
This commit removes the Index Audit Output type, following its deprecation
in 6.7 by 8765a31d4e6770. It also adds the migration notice (settings notice).

In general, the problem with the index audit output is that event indexing
can be slower than the rate with which audit events are generated,
especially during the daily rollovers or the rolling cluster upgrades.
In this situation audit events will be lost which is a terrible failure situation
for an audit system.
Besides of the settings under the `xpack.security.audit.index` namespace, the
`xpack.security.audit.outputs` setting has also been deprecated and will be
removed in 7. Although explicitly configuring the logfile output does not touch
any deprecation bits, this setting is made redundant in 7 so this PR deprecates
it as well.

Relates #29881
2019-01-24 12:36:10 +02:00

39 lines
1.6 KiB
Plaintext
Raw Blame History

[role="xpack"]
[testenv="gold+"]
[[auditing-search-queries]]
=== Auditing search queries
There is no <<audit-event-types, audit event type>> specifically
dedicated to search queries. Search queries are analyzed and then processed; the
processing triggers authorization actions that are audited.
However, the original raw query, as submitted by the client, is not accessible
downstream when authorization auditing occurs.
Search queries are contained inside HTTP request bodies, however, and some
audit events that are generated by the REST layer can be toggled to output
the request body to the audit log.
To make certain audit events include the request body, edit the following
setting in the `elasticsearch.yml` file:
[source,yaml]
----------------------------
xpack.security.audit.logfile.events.emit_request_body: true
----------------------------
IMPORTANT: No filtering is performed when auditing, so sensitive data might be
audited in plain text when audit events include the request body. Also, the
request body can contain malicious content that can break a parser consuming
the audit logs.
There are only a handful of <<audit-event-types, audit event types>> that are
generated in the REST layer and can access the request body. Most of them are not
included by default.
A good practical piece of advice is to add `authentication_success` to the event
types that are audited (add it to the list in the `xpack.security.audit.logfile.events.include`),
as this event type is not audited by default.
NOTE: Typically, the include list contains other event types as well, such as
`access_granted` or `access_denied`.
Reference in New Issue View Git Blame Copy Permalink