|
1 | 1 | [role="xpack"] |
2 | | -[[auditing]] |
3 | | -== Auditing security events |
4 | | - |
5 | | -You can enable auditing to keep track of security-related events such as |
6 | | -authentication failures and refused connections. Logging these events enables you |
7 | | -to monitor your cluster for suspicious activity and provides evidence in the |
8 | | -event of an attack. |
9 | | - |
10 | | -[IMPORTANT] |
11 | | -============================================================================ |
12 | | -Audit logs are **disabled** by default. To enable this functionality, you |
13 | | -must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`. |
14 | | -============================================================================ |
15 | | - |
16 | | -{Security} provides two ways to persist audit logs: |
17 | | - |
18 | | -* The <<audit-log-output, `logfile`>> output, which persists events to |
19 | | - a dedicated `<clustername>_access.log` file on the host's file system. |
20 | | -* The <<audit-index, `index`>> output, which persists events to an Elasticsearch index. |
21 | | -The audit index can reside on the same cluster, or a separate cluster. |
22 | | - |
23 | | -By default, only the `logfile` output is used when enabling auditing. |
24 | | -To facilitate browsing and analyzing the events, you can also enable |
25 | | -indexing by setting `xpack.security.audit.outputs` in `elasticsearch.yml`: |
26 | | - |
27 | | -[source,yaml] |
28 | | ----------------------------- |
29 | | -xpack.security.audit.outputs: [ index, logfile ] |
30 | | ----------------------------- |
31 | | - |
32 | | -The `index` output type should be used in conjunction with the `logfile` |
33 | | -output type Because it is possible for the `index` output type to lose |
34 | | -messages if the target index is unavailable, the `access.log` should be |
35 | | -used as the official record of events. |
36 | | - |
37 | | -NOTE: Audit events are batched for indexing so there is a lag before |
38 | | -events appear in the index. You can control how frequently batches of |
39 | | -events are pushed to the index by setting |
40 | | -`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`. |
41 | | - |
42 | 2 | [float] |
43 | 3 | [[audit-event-types]] |
44 | 4 | === Audit event types |
45 | 5 |
|
46 | | -Each request may generate multiple audit events. |
47 | | -The following is a list of the events that can be generated: |
| 6 | +When you are <<auditing,auditing security events>>, each request can generate |
| 7 | +multiple audit events. The following is a list of the events that can be generated: |
48 | 8 |
|
49 | 9 | |====== |
50 | 10 | | `anonymous_access_denied` | | | Logged when a request is denied due to a missing |
@@ -281,195 +241,3 @@ The log level determines which attributes are included in a log entry. |
281 | 241 | | `rule` | The <<ip-filtering, IP filtering>> rule that denied |
282 | 242 | the request. |
283 | 243 | |====== |
284 | | - |
285 | | -[float] |
286 | | -[[audit-log-output]] |
287 | | -=== Logfile audit output |
288 | | - |
289 | | -The `logfile` audit output is the default output for auditing. It writes data to |
290 | | -the `<clustername>_access.log` file in the logs directory. |
291 | | - |
292 | | -[float] |
293 | | -[[audit-log-entry-format]] |
294 | | -=== Log entry format |
295 | | - |
296 | | -The format of a log entry is: |
297 | | - |
298 | | -[source,txt] |
299 | | ----------------------------------------------------------------------------- |
300 | | -[<timestamp>] [<local_node_info>] [<layer>] [<entry_type>] <attribute_list> |
301 | | ----------------------------------------------------------------------------- |
302 | | - |
303 | | -`<timestamp>` :: When the event occurred. You can configure the |
304 | | - timestamp format in `log4j2.properties`. |
305 | | -`<local_node_info>` :: Information about the local node that generated |
306 | | - the log entry. You can control what node information |
307 | | - is included by configuring the |
308 | | - {ref}/auditing-settings.html#node-audit-settings[local node info settings]. |
309 | | -`<layer>` :: The layer from which this event originated: |
310 | | - `rest`, `transport` or `ip_filter`. |
311 | | -`<entry_type>` :: The type of event that occurred: `anonymous_access_denied`, |
312 | | - `authentication_failed`, `access_denied`, `access_granted`, |
313 | | - `connection_granted`, `connection_denied`. |
314 | | -`<attribute_list>` :: A comma-separated list of key-value pairs that contain |
315 | | - data pertaining to the event. Formatted as |
316 | | - `attr1=[val1], attr2=[val2]`. See <<audit-event-attributes, |
317 | | - Audit Entry Attributes>> for the attributes that can be included |
318 | | - for each type of event. |
319 | | - |
320 | | -[float] |
321 | | -[[audit-log-settings]] |
322 | | -=== Logfile output settings |
323 | | - |
324 | | -The events and some other information about what gets logged can be |
325 | | -controlled using settings in the `elasticsearch.yml` file. See |
326 | | -{ref}/auditing-settings.html#event-audit-settings[Audited Event Settings] and |
327 | | -{ref}/auditing-settings.html#node-audit-settings[Local Node Info Settings]. |
328 | | - |
329 | | -IMPORTANT: No filtering is performed when auditing, so sensitive data may be |
330 | | -audited in plain text when including the request body in audit events. |
331 | | - |
332 | | -[[logging-file]] |
333 | | -You can also configure how the logfile is written in the `log4j2.properties` |
334 | | -file located in `CONFIG_DIR`. By default, audit information is appended to the |
335 | | -`<clustername>_access.log` file located in the standard Elasticsearch `logs` directory |
336 | | -(typically located at `$ES_HOME/logs`). The file rolls over on a daily basis. |
337 | | - |
338 | | -[float] |
339 | | -[[audit-log-ignore-policy]] |
340 | | -=== Logfile audit events ignore policies |
341 | | - |
342 | | -The comprehensive audit trail is necessary to ensure accountability. It offers tremendous |
343 | | -value during incident response and can even be required for demonstrating compliance. |
344 | | - |
345 | | -The drawback of an audited system is represented by the inevitable performance penalty incurred. |
346 | | -In all truth, the audit trail spends _I/O ops_ that are not available anymore for the user's queries. |
347 | | -Sometimes the verbosity of the audit trail may become a problem that the event type restrictions, |
348 | | -<<audit-log-settings, defined by `include` and `exclude`>>, will not alleviate. |
349 | | - |
350 | | -*Audit events ignore policies* are a finer way to tune the verbosity of the audit trail. |
351 | | -These policies define rules that match audit events which will be _ignored_ (read as: not printed). |
352 | | -Rules match on the values of attributes of audit events and complement the <<audit-log-settings, include/exclude>> method. |
353 | | -Imagine the corpus of audit events and the policies chopping off unwanted events. |
354 | | - |
355 | | -IMPORTANT: When utilizing audit events ignore policies you are acknowledging potential |
356 | | -accountability gaps that could render illegitimate actions undetectable. |
357 | | -Please take time to review these policies whenever your system architecture changes. |
358 | | - |
359 | | -A policy is a named set of filter rules. Each filter rule applies to a single event attribute, |
360 | | -one of the `users`, `realms`, `roles` or `indices` attributes. The filter rule defines |
361 | | -a list of {ref}/query-dsl-regexp-query.html#regexp-syntax[Lucene regexp], *any* of which has to match the value of the audit |
362 | | -event attribute for the rule to match. |
363 | | -A policy matches an event if *all* the rules comprising it match the event. |
364 | | -An audit event is ignored, therefore not printed, if it matches *any* policy. All other |
365 | | -non-matching events are printed as usual. |
366 | | - |
367 | | -All policies are defined under the `xpack.security.audit.logfile.events.ignore_filters` |
368 | | -settings namespace. For example, the following policy named _example1_ matches |
369 | | -events from the _kibana_ or _admin_user_ principals **and** operating over indices of the |
370 | | -wildcard form _app-logs*_: |
371 | | - |
372 | | -[source,yaml] |
373 | | ----------------------------- |
374 | | -xpack.security.audit.logfile.events.ignore_filters: |
375 | | - example1: |
376 | | - users: ["kibana", "admin_user"] |
377 | | - indices: ["app-logs*"] |
378 | | ----------------------------- |
379 | | - |
380 | | -An audit event generated by the _kibana_ user and operating over multiple indices |
381 | | -, some of which do not match the indices wildcard, will not match. |
382 | | -As expected, operations generated by all other users (even operating only on indices that |
383 | | -match the _indices_ filter) will not match this policy either. |
384 | | - |
385 | | -Audit events of different types may have <<audit-event-attributes, different attributes>>. |
386 | | -If an event does not contain an attribute for which some policy defines filters, the |
387 | | -event will not match the policy. |
388 | | -For example, the following policy named _example2_, will never match `authentication_success` or |
389 | | -`authentication_failed` events, irrespective of the user's roles, because these |
390 | | -event schemas do not contain the `role` attribute: |
391 | | - |
392 | | -[source,yaml] |
393 | | ----------------------------- |
394 | | -xpack.security.audit.logfile.events.ignore_filters: |
395 | | - example2: |
396 | | - roles: ["admin", "ops_admin_*"] |
397 | | ----------------------------- |
398 | | - |
399 | | -Likewise, any events of users with multiple roles, some of which do not match the |
400 | | -regexps will not match this policy. |
401 | | - |
402 | | -For completeness, although practical use cases should be sparse, a filter can match |
403 | | -a missing attribute of an event, using the empty string ("") or the empty list ([]). |
404 | | -For example, the following policy will match events that do not have the `indices` |
405 | | -attribute (`anonymous_access_denied`, `authentication_success` and other types) as well |
406 | | -as events over the _next_ index. |
407 | | - |
408 | | -[source,yaml] |
409 | | ----------------------------- |
410 | | -xpack.security.audit.logfile.events.ignore_filters: |
411 | | - example3: |
412 | | - indices: ["next", ""] |
413 | | ----------------------------- |
414 | | - |
415 | | - |
416 | | -[float] |
417 | | -[[audit-index]] |
418 | | -=== Index audit output |
419 | | - |
420 | | -In addition to logging to a file, you can store audit logs in Elasticsearch |
421 | | -rolling indices. These indices can be either on the same cluster, or on a |
422 | | -remote cluster. You configure the following settings in |
423 | | -`elasticsearch.yml` to control how audit entries are indexed. To enable |
424 | | -this output, you need to configure the setting `xpack.security.audit.outputs` |
425 | | -in the `elasticsearch.yml` file: |
426 | | - |
427 | | -[source,yaml] |
428 | | ----------------------------- |
429 | | -xpack.security.audit.outputs: [ index, logfile ] |
430 | | ----------------------------- |
431 | | - |
432 | | -For more configuration options, see |
433 | | -{ref}/auditing-settings.html#index-audit-settings[Audit log indexing configuration settings]. |
434 | | - |
435 | | -IMPORTANT: No filtering is performed when auditing, so sensitive data may be |
436 | | -audited in plain text when including the request body in audit events. |
437 | | - |
438 | | -[float] |
439 | | -==== Audit index settings |
440 | | - |
441 | | -You can also configure settings for the indices that the events are stored in. |
442 | | -These settings are configured in the `xpack.security.audit.index.settings` namespace |
443 | | -in `elasticsearch.yml`. For example, the following configuration sets the |
444 | | -number of shards and replicas to 1 for the audit indices: |
445 | | - |
446 | | -[source,yaml] |
447 | | ----------------------------- |
448 | | -xpack.security.audit.index.settings: |
449 | | - index: |
450 | | - number_of_shards: 1 |
451 | | - number_of_replicas: 1 |
452 | | ----------------------------- |
453 | | - |
454 | | -[float] |
455 | | -==== Forwarding audit logs to a remote cluster |
456 | | - |
457 | | -To index audit events to a remote Elasticsearch cluster, you configure |
458 | | -the following `xpack.security.audit.index.client` settings: |
459 | | - |
460 | | -* `xpack.security.audit.index.client.hosts` |
461 | | -* `xpack.security.audit.index.client.cluster.name` |
462 | | -* `xpack.security.audit.index.client.xpack.security.user` |
463 | | - |
464 | | -For more information about these settings, see |
465 | | -{ref}/auditing-settings.html#remote-audit-settings[Remote Audit Log Indexing Configuration Settings]. |
466 | | - |
467 | | -You can pass additional settings to the remote client by specifying them in the |
468 | | -`xpack.security.audit.index.client` namespace. For example, to allow the remote |
469 | | -client to discover all of the nodes in the remote cluster you can specify the |
470 | | -`client.transport.sniff` setting: |
471 | | - |
472 | | -[source,yaml] |
473 | | ----------------------------- |
474 | | -xpack.security.audit.index.client.transport.sniff: true |
475 | | ----------------------------- |
0 commit comments