Audit log not getting

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.0

Describe the issue:
I am using Opensearch 2.11.0 version on RPM machine(Red HAT) . After enabling the audit log and configuring the required audit log setting,I have executed few queries but I am not getting audit logs. Please let me know if anything I am missing.

Configuration:

I did below configuration for audit log in opensearch.yml file

plugins.security.audit.type: internal_opensearch

Configuration for audit log in audit.yml file

plugins.security.audit.config.ignore_users: kibanaserver
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE
plugins.security.audit.config.log_request_body: true

Relevant Logs or Screenshots:

2

Hi team,

Can you please guide me for above query ?

3

Hi @Ashish,

Could you please run GET _cat/indices/*auditlog* in your Dev Tools (or any convenient way for you) and share the output?

Best,
Mantas

4

Below Response I am getting while executing GET _cat/indices/auditlog

yellow open auditlog-2023.10.20 fQhc4-jPQDytQtnS-1GHIw 1 1 1 0 12.7kb 12.7kb
yellow open auditlog-2023.11.02 5WZifgOfS1KBWeybUgat4g 1 1 13 0 97.4kb 97.4kb
yellow open auditlog-2023.11.03 dh3_2RF4S2er_RBolGUJsw 1 1 4004 0 1.8mb 1.8mb
yellow open auditlog-2023.11.06 o2E_hK1HT8udnmcFZnaFaA 1 1 16350 0 4.5mb 4.5mb
yellow open auditlog-2023.10.27 zrjdJ9G1QqSD5a9ZqnxM_w 1 1 4 0 50.8kb 50.8kb
yellow open security-auditlog-2023.10.26 5l7ps_ujSCWkCZE2Iz49hw 1 1 2 0 32kb 32kb
yellow open auditlog-2023.10.26 FmIe2hVpSsWg-nBeylrIcg 1 1 16 0 120.6kb 120.6kb
yellow open security-auditlog-2023.10.19 XuSi47fiRDCVD2TO6jXxAQ 1 1 4 0 61kb 61kb

But my questions here where I can see this audit log file in OpenSearch application on backend means in which directory .

I am looking at /var/log/opensearch directory at this location I am unable to get any files related to audit log

5

If the internal_opensearch is used the audit logs are stored locally (same cluster) in the index " index named (security-)auditlog-YYYY.MM.dd:"` more details here: Audit logs - OpenSearch documentation

If you would like to store your audit logs in files or other different means, please check here: Audit log storage types - OpenSearch documentation

let me know if you have any further questions.

Best,
Mantas

6

I have used internal-opensearch for that I am not getting and created index “'security-auditlog-'YYYY.MM.dd” using below configuration in opensearch.yml

plugins.security.audit.config.index: “'security-auditlog-'YYYY.MM.dd”

But unable to find any log file as security-auditlog-*

7

It is stored in indexes, not in files.

You can use log4j to get logs to files: Audit log storage types - OpenSearch documentation

8

Using log4j also, I am unable to find any audit log file.

checking logs at /var/log/opensearch directory

Screenshot for opensearch log directory
Screenshot for opensearch log directory1744×457 45.8 KB

9

Hi @Ashish,

Could you please share your configuration in opensearch.yml and log4j?

Thanks,
Mantas