탐색 도움말
로그인
lqb
/
elasticsearch
의 미러 https://gitee.com/mirrors/elasticsearch.git
1
0
포크 0
파일 이슈 0 위키
트리: 3c23a9e9cd
브랜치 태그
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
auditing
/
auditing-search-queries.asciidoc

auditing-search-queries.asciidoc 2.0 KB
히스토리 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243 
  1. [[auditing-search-queries]]
    2. 

  2. === Auditing search queries
    3. 

  3. 

  4. There is no <<audit-event-types, audit event type>> specifically
    5. 

  5. dedicated to search queries. Search queries are analyzed and then processed; the
    6. 

  6. processing triggers authorization actions that are audited.
    7. 

  7. However, the original raw query, as submitted by the client, is not accessible
    8. 

  8. downstream when authorization auditing occurs.
    9. 

  9. 

  10. Search queries are contained inside HTTP request bodies, however, and some
    11. 

  11. audit events that are generated by the REST layer, on the coordinating node,
    12. 

  12. can be toggled to output the request body to the audit log. Therefore, one
    13. 

  13. must audit request bodies in order to audit search queries.
    14. 

  14. 

  15. To make certain audit events include the request body, edit the following
    16. 

  16. setting in the `elasticsearch.yml` file:
    17. 

  17. 

  18. [source,yaml]
    19. 

  19. ----------------------------
    20. 

  20. xpack.security.audit.logfile.events.emit_request_body: true
    21. 

  21. ----------------------------
    22. 

  22. 

  23. IMPORTANT: No filtering is performed when auditing, so sensitive data might be
    24. 

  24. audited in plain text when audit events include the request body. Also, the
    25. 

  25. request body can contain malicious content that can break a parser consuming
    26. 

  26. the audit logs.
    27. 

  27. 

  28. The request body is printed as an escaped JSON string value (RFC 4627) to the `request.body`
    29. 

  29. event attribute.
    30. 

  30. 

  31. Not all events contain the `request.body` attribute, even when the above setting
    32. 

  32. is toggled. The ones that do are: `authentication_success`,
    33. 

  33. `authentication_failed`, `realm_authentication_failed`, `tampered_request`, `run_as_denied`,
    34. 

  34. and `anonymous_access_denied`. The `request.body` attribute is printed on the coordinating node only
    35. 

  35. (the node that handles the REST request). Most of these event types are
    36. 

  36. <<xpack-sa-lf-events-include, not included by default>>.
    37. 

  37. 

  38. A good practical piece of advice is to add `authentication_success` to the event
    39. 

  39. types that are audited (add it to the list in the `xpack.security.audit.logfile.events.include`),
    40. 

  40. as this event type is not audited by default.
    41. 

  41. 

  42. NOTE: Typically, the include list contains other event types as well, such as
    43. 

  43. `access_granted` or `access_denied`.
    44.