Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
opensearch -2.4
Describe the issue:
hi, we wanted to know if there is any feature in audit logs that we can see which user ran the query.
also is there any feature to see the query content?
(we have a problem with users running heavy queries and we want to investigate)
I saw that there is an option to see which user did the request
Relevant Logs or Screenshots:
@taltsafrir if the credentials used in the query are successfully authenticated/authorized, audit_request_effective_user should indeed give you the username that triggered the query
To control whether the request body is present in the audit logs you can change the value of:
plugins.security.audit.log_request_body: false
Also, during a short period (during your investigation) you could consider not excluding any of the Audit Log categories:
plugins.security.audit.config.disabled_rest_categories: NONE
thanks for the replay!
I already did this setup but I still cant see the content of the query
any ideas why?
what I meant was if we can see the content of the query that im running in order to see heavy queries
we tried slow logs but the logs are only in the server and not part of the security index
