Audit logs emitting same log thrice with different log levels i.e. info, warn and error

Pratiksha · April 10, 2023, 7:46pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.2.1

Describe the issue:
I am using Opensearch v2.2.1 and have enabled audit logging. I see that every audit log is getting generated 3 times with just different log levels i.e. warn, error and info.
Please suggest on how to fix this and what is the reason that same log is getting generated 3 times.

Configuration:
Added below config in opensearch.yml file:
plugins.security.audit.type: log4j
plugins.security.audit.config.log4j.logger_name: audit

Relevant Logs or Screenshots:
[2023-04-10T18:19:51,181][INFO ][audit ] [opensearch-75f75866b4-5wkm5] {“audit_cluster_name”:“pratiksha-testifd”,“audit_rest_request_params”:{“v”:“”},“audit_node_name”:“opensearch-client-75f75866b4-5wkm5”,“audit_rest_request_method”:“GET”,“audit_category”:“FAILED_LOGIN”,“audit_request_origin”:“REST”,“audit_node_id”:“HU0PL4bMSIi1DC5vyUi2wA”,“audit_request_layer”:“REST”,“audit_rest_request_path”:“/_cat/indices”,“@timestamp”:“2023-04-10T18:19:51.177+00:00”,“audit_request_effective_user_is_admin”:false,“audit_format_version”:4,“audit_request_remote_address”:“ip”,“audit_node_host_address”:“ip”,“audit_rest_request_headers”:{“User-Agent”:[“curl/7.29.0”],“content-length”:[“0”],“Host”:[“ip:9200”],“Accept”:[“/”]},“audit_request_effective_user”:“user1”,“audit_node_host_name”:“ip”}
[2023-04-10T18:19:51,182][WARN ][audit ] [opensearch-75f75866b4-5wkm5] {“audit_cluster_name”:“pratiksha-testifd”,“audit_rest_request_params”:{“v”:“”},“audit_node_name”:“opensearch-client-75f75866b4-5wkm5”,“audit_rest_request_method”:“GET”,“audit_category”:“FAILED_LOGIN”,“audit_request_origin”:“REST”,“audit_node_id”:“HU0PL4bMSIi1DC5vyUi2wA”,“audit_request_layer”:“REST”,“audit_rest_request_path”:“/_cat/indices”,“@timestamp”:“2023-04-10T18:19:51.177+00:00”,“audit_request_effective_user_is_admin”:false,“audit_format_version”:4,“audit_request_remote_address”:“ip”,“audit_node_host_address”:“ip”,“audit_rest_request_headers”:{“User-Agent”:[“curl/7.29.0”],“content-length”:[“0”],“Host”:[“ip:9200”],“Accept”:[“/”]},“audit_request_effective_user”:“user1”,“audit_node_host_name”:“ip”}
[2023-04-10T18:19:51,182][ERROR][audit ] [opensearch-75f75866b4-5wkm5] {“audit_cluster_name”:“pratiksha-testifd”,“audit_rest_request_params”:{“v”:“”},“audit_node_name”:“opensearch-client-75f75866b4-5wkm5”,“audit_rest_request_method”:“GET”,“audit_category”:“FAILED_LOGIN”,“audit_request_origin”:“REST”,“audit_node_id”:“HU0PL4bMSIi1DC5vyUi2wA”,“audit_request_layer”:“REST”,“audit_rest_request_path”:“/_cat/indices”,“@timestamp”:“2023-04-10T18:19:51.177+00:00”,“audit_request_effective_user_is_admin”:false,“audit_format_version”:4,“audit_request_remote_address”:“ip”,“audit_node_host_address”:“ip”,“audit_rest_request_headers”:{“User-Agent”:[“curl/7.29.0”],“content-length”:[“0”],“Host”:[“ip:9200”],“Accept”:[“/”]},“audit_request_effective_user”:“user1”,“audit_node_host_name”:“ip”}

Gsmitt · April 11, 2023, 12:57am

Hey @Pratiksha

Not sure about all your configuration made in the opensearch.yml file, but here is some key configuration points you may need to look for.

github.com

opensearch-project/security/blob/main/config/opensearch.yml.example

############## OpenSearch Security configuration ###############

###########################################################
# Add the following settings to your standard opensearch.yml
# alongside with the OpenSearch Security TLS settings.
# Settings must always be the same on all nodes in the cluster.

############## Common configuration settings ##############

# Specify a list of DNs which denote the other nodes in the cluster.
# This settings support wildcards and regular expressions
# The list of DNs are also read from security index **in addition** to the yml configuration if
# plugins.security.nodes_dn_dynamic_config_enabled is true.
# NOTE: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.
plugins.security.nodes_dn:
  - "CN=*.example.com, OU=SSL, O=Test, L=Test, C=DE"
  - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"

# The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured

This file has been truncated. show original

# Ignore users, e.g. do not log audit requests from that users (default: no ignored users)
#plugins.security.audit.ignore_users: ['kibanaserver','some*user','/also.*regex possible/']"

# Destination of the auditlog events
plugins.security.audit.type: internal_opensearch
#plugins.security.audit.type: external_opensearch
#plugins.security.audit.type: debug
#plugins.security.audit.type: webhook

Just an Idea

Pratiksha · April 11, 2023, 2:55am

Hi @Gsmitt
Yes, I have added all other config also in opensearch.yml and I shared only the config which I added for audit logging to use log4j as the option.

Gsmitt · April 11, 2023, 2:56am

Hey,

Out of curiosity where did you see that configuration for log4j option, Im unaware of that since the sample above does not show this.

Pratiksha · April 11, 2023, 3:00am

Audit log storage types - OpenSearch documentation I have referred it from the documentation.

Gsmitt · April 11, 2023, 3:02am

Sorry I missed it, at the bottom.

Topic		Replies	Views
Opensearch audit to file and index Security configure	2	483	January 27, 2023
Log4j configuration for audit logging OpenSearch troubleshoot , configure	4	1307	August 29, 2023
Opensearch audit to file Security configure	1	339	April 14, 2023
Audit log not getting OpenSearch	8	691	November 17, 2023
Plugins logs level OpenSearch configure , feature-request	0	326	February 12, 2023

Audit logs emitting same log thrice with different log levels i.e. info, warn and error

Related topics