Audit All user actions

waeshalaby · December 25, 2019, 10:30am

We are wondering if we can log all ‘KQL’ for all users with granted permissions to query these indices as we try with the default installation to discover all audit actions
but only the default tracked events are:

Failed login
Successful login
Missing privileges to run a certain request
Granted privileges to run a certain request
SSL/TLS error when Elasticsearch was contacted but there was no certificate or the provided certificate was incorrect
Attempt to alter the configuration of the internal security module without required privileges
Attempt to interact with Elasticsearch without security headers

doesn’t contain user successful search queries.

mato · April 15, 2020, 1:37pm

Hi,

opendistro guys, please answer

thanks

Anthony · May 5, 2021, 5:16pm

Hi @waeshalaby Did you get this working? the docs seems to cover most of what you are looking for

Topic		Replies	Views
Audit Logs - Showing "FAILED_LOGIN" for successful login attempts Security	5	2669	September 30, 2020
Users unable to save queries Security troubleshoot	7	2021	March 30, 2022
Audit - tracking users working deleting index Security	5	818	April 21, 2020
Audit Logs for OpenDistro Security	3	1147	February 18, 2021
Use Open Distro for Elasticsearch to Alert on Security Events \| Open Distro General Feedback	1	569	February 7, 2023

Audit All user actions

Related topics