OpenSearch v 3.3.1; OpenSearch Dashboards 3.3.0; OS SLES 15; browser google chrom
Describe the issue:
Hello,
I want to create a visualization in OpenSearch Dashboards (2.19) to show which users log in via the web interface.
I am using the security-auditlog-* index. I tried creating a Data Table / Line Chart visualization, but the number of events is excessive: for example, the admin user shows 200 login points, even though they logged in only once. Background services and REST API calls are also logged, inflating the counts.
Goal:
Show only real user logins, ignoring system users and repeated REST API calls.
Count actual logins per user over time.
Has anyone solved this before? What is the best way to filter out only real login events in security-auditlog-*?
@Pan-Vad There is no one way to configure this, as audit logging logs all rest and transport communication by design. There are a number of “knobs” you can tweak to be able to make sense out of the dashboards build on the back on audit logging index, listed in the docs, for example only logging the AUTHENTICATED events. But these can still generated multiple events for the same login. Disabling transport logging is another option for example.
Could you please tell me how to correctly extract statistics about user logins to OpenSearch for a specific period of time?
For example, I would like to know how many times users accessed the system during the previous month.
Is there a way to retrieve or visualize this information?
@Pan-Vad The audit log doesn’t have session concepts, it’s request-based, not login-based.
Therefore if you enable “Authenticated” event, every successful request from the user will be logged as Authenticated event. Therefore you will not be able to limit the search/visualization to “how many times the user logged it”. But you can see if the user logged/accessed the system between specific times. For example if you login with test user, create a number of sample indices/aliases and run a search, you will be between 200-300 Authenticated events logged for this user.
