Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 2.13.0
Describe the issue:
I have enabled audit logging on OpenSearch and I can see my audit index created with name “audit-logs”
I have performed some CRUD operations on one of my cluster index. I don’t see entries for that operations in the audit index.
As far as I know elasticsearch have that capabilities to see each entry related to CRUD operations that we do on any Index in the audit log index.
Could you please help me track index operation entries in the audit index.
Configuration:
settings that I’ve added in opensearch.yml:
plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.log_request_body: true
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.index: “audit-logs”
plugins.security.audit.config.ignore_users: “kibanaserver, logstash”
plugins.security.audit.config.resolve_indices: true
plugins.security.audit.config.resolve_bulk_requests: true
Relevant Logs or Screenshots:
Hi @mangesh.mathe.9
What user did you use? Could you send an example of your CRUD operation?
Could you please also send a screenshot of your audit log configurations in the OpenSearch Dashboards? To do this, click on Security → Audit logs and scroll to General settings .
I have used admin user and performing crud operations like inserting , updating and delete the index document.
CRUD operations that I performed,
*/
POST opensearch_dashboards_sample_data_flights/_doc/
{
“FlightNum”: “AB123”,
“Dest”: “SFO”,
“Origin”: “JFK”,
“AvgTicketPrice”: 500,
“timestamp”: “2024-05-13T12:00:00Z”
}
POST opensearch_dashboards_sample_data_flights/_update/gEe2hY8BigLP3L3Hf14W
{
“doc”: {
“AvgTicketPrice”: 550
}
}
GET opensearch_dashboards_sample_data_flights/_search
DELETE opensearch_dashboards_sample_data_flights/_doc/gEe2hY8BigLP3L3Hf14W
/*
Hi @mangesh.mathe.9 ,
Disabled REST categories are different in the config file and in the UI. Did you restart your cluster after making changes to the opensearch.yml file?
Please also check if the audit configuration in the opensearch.yml file is the same on every node in the cluster.
yes I have restarted the opensearch.service and opensearch-dashboard .service
we have implemented opensearch with only one node cluster. We are exploring the capabilities of opensearch.
anything that you want to add here to resolve my audit log issue?
How did you install OpenSearch?
To fix it, please try removing GRANTED_PRIVILEGES in the UI Settings:
Thank you so much. I have removed this settings from UI and did restarted the OpenSearch which solved this issue. I can see my CRUD operations now in the audit log index.
