Skip to content

Commit bca9995

Browse files
albertzaharovitsalbertzaharovits
committed
DOCS Auditing search queries (elastic#35301)
This documents how to include the search queries in the audit log. There is a catch, that even if enabling `emit_request_body`, which should output queries included in request bodies, search queries were not output because, implicitly, no REST layer audit event type was included. This folk knowledge is herein imprinted.
1 parent 97adb4b commit bca9995

File tree

2 files changed

+57
-1
lines changed

2 files changed

+57
-1
lines changed

x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
[role="xpack"]
2+
[testenv="gold+"]
3+
[[auditing-search-queries]]
4+
=== Auditing search queries
5+
6+
There is no <<audit-event-types, audit event type>> specifically
7+
dedicated to search queries. Search queries are analyzed and then processed; the
8+
processing triggers authorization actions that are audited.
9+
However, the original raw query, as submitted by the client, is not accessible
10+
downstream when authorization auditing occurs.
11+
12+
Search queries are contained inside HTTP request bodies, however, and some
13+
audit events that are generated by the REST layer can be toggled to output
14+
the request body to the audit log.
15+
16+
To make certain audit events include the request body, edit the following
17+
settings in the `elasticsearch.yml` file:
18+
19+
* For the `logfile` audit output:
20+
+
21+
--
22+
[source,yaml]
23+
----------------------------
24+
xpack.security.audit.logfile.events.emit_request_body: true
25+
----------------------------
26+
--
27+
28+
* For the `index` output:
29+
+
30+
--
31+
[source,yaml]
32+
----------------------------
33+
xpack.security.audit.index.events.emit_request_body: true
34+
----------------------------
35+
--
36+
37+
IMPORTANT: No filtering is performed when auditing, so sensitive data might be
38+
audited in plain text when audit events include the request body. Also, the
39+
request body can contain malicious content that can break a parser consuming
40+
the audit logs.
41+
42+
There are only a handful of <<audit-event-types, audit event types>> that are
43+
generated in the REST layer and can access the request body. Most of them are not
44+
included by default.
45+
46+
A good practical piece of advice is to add `authentication_success` to the event
47+
types that are audited. Add it to the list in the
48+
`xpack.security.audit.logfile.events.include` or
49+
`xpack.security.audit.index.events.include` settings. This type is not audited
50+
by default.
51+
52+
NOTE: Typically, the include list contains other event types as well, such as
53+
`access_granted` or `access_denied`.

x-pack/docs/en/security/auditing/index.asciidoc

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,5 +11,8 @@ include::output-logfile.asciidoc[]
1111
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/output-index.asciidoc
1212
include::output-index.asciidoc[]
1313

14+
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/auditing-search-queries.asciidoc
15+
include::auditing-search-queries.asciidoc[]
16+
1417
:edit_url: https://github.com/elastic/elasticsearch/edit/{branch}/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc
15-
include::forwarding-logs.asciidoc[]
18+
include::forwarding-logs.asciidoc[]

0 commit comments

Comments
 (0)