Is there some ability in Opensearch Dashboards for me to log access events to Dashboards objects, such as Saved Objects, and associate that access event with a username? The ultimate goal is to track which users execute Saved Searches or Visualizations, so I can correlate high-load situations with the actual origin query coming from Dashboards.
I have audit logging enabled in the Opensearch nodes themselves, but that is not providing me Dashboards-level access information. (Who accessed which Saved Object and when…).
It appears this was a feature in Kibana 7.10 Audit logs | Kibana Guide [7.10] | Elastic
…but try as I might, I’ve not been able to find any documented equivalent setting for Opensearch Dashboards.
I’ve eventually answered my own question.
The default is to omit GRANTED_PRIVILEGES from the security-auditlog.
The documentation references a deprecated, non-functional way of changing the list of excluded categories.
^ This DOES NOT work. Is deprecated.
This is now handled via the security plugin configuration, here: https://github.com/opensearch-project/security/blob/main/securityconfig/audit.yml
Note you want to change disabled_rest_categories and/or disabled_transport_categories in audit.yml . If you remove GRANTED_PRIVILEGES from the list of disabled categories, you’ll get something akin to full activity logging in your security-auditlog index.