Opensearch Audit log issue

OpenSearch
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch 2.11.0

Describe the issue:
I am using Opensearch 2.11.0 version on RPM machine(Red HAT) . After enabling the audit log and configuring the required audit log setting,I have executed few queries but I am not getting audit logs. Please let me know if anything I am missing.

Configuration:
I did below audit log configuration for Opensearch application

  1. In audit.yml file

• plugins.security.audit.config.disabled_rest_categories: NONE
• plugins.security.audit.config.disabled_transport_categories: NONE
• plugins.security.audit.config.enable_rest: true
• plugins.security.audit.config.enable_transport: true
• plugins.security.audit.config.log_request_body: true
• plugins.security.audit.config.ignore_users: NONE
• plugins.security.audit.config.resolve_bulk_requests: true

  1. In opensearch.yml file

• plugins.security.audit.type: internal_opensearch
• plugins.security.audit.config.index: “'auditlog-'YYYY.MM.dd”

Reference : Audit logs - OpenSearch documentation

Relevant Logs or Screenshots:

2

Hi @Ashish

Could you execute the following command in the DevTools and share the response?
GET _cat/indices

Do you use "• " symbol in your configuration before each line? If yes, please remove it.

3

I did not use "• " symbol for configuration before each line.
I have executed GET _cat/indices through Dev Tools and get the below response.

yellow open books2 sGfYTzrgREiFxNkz8cEouA 1 1 0 0 208b 208b
green open .ql-datasources GaiqzmE6SuKhgvjxVOGF1Q 1 0 0 0 208b 208b
yellow open sample-index2 VBOf9vp6TsmBfEZj_oMZIA 1 1 1 0 4kb 4kb
green open .kibana_92668751_admin_1 NVhYCJDwQ02m-2YKtWR4Wg 1 0 2 0 12.3kb 12.3kb
yellow open sample-index1 HYajzyssT-2GMpJjFLFF0w 1 1 1 0 4kb 4kb
yellow open security-auditlog-2023.10.26 5l7ps_ujSCWkCZE2Iz49hw 1 1 2 0 32kb 32kb
yellow open sample-index rf3aGx4aR0e7NiHqMvF_Lw 1 1 1 0 4.1kb 4.1kb
green open .kibana_1 idf08y6jQyOErFQ0riHRuQ 1 0 0 0 208b 208b
green open .opendistro_security -dWJ5bPWRhy29-75YAhScg 1 0 10 0 76.2kb 76.2kb
yellow open security-auditlog-2023.10.19 XuSi47fiRDCVD2TO6jXxAQ 1 1 4 0 61kb 61kb
green open .tasks J1RO2HtYRpqFXwNcJ_hO8w 1 0 1 0 7kb 7kb
yellow open sample-index-test ZuYEfWzpT5OHdYd1Mb5Mhw 1 1 1 0 4.1kb 4.1kb
green open .plugins-ml-config VCJxfjy7QViCvZuDtE3TBQ 1 0 1 0 3.9kb 3.9kb
green open .opensearch-observability -qMO80lEQVuK_SM23JiioQ 1 0 0 0 208b 208b
yellow open auditlog-2023.10.20 fQhc4-jPQDytQtnS-1GHIw 1 1 1 0 12.7kb 12.7kb
yellow open auditlog-2023.11.02 5WZifgOfS1KBWeybUgat4g 1 1 13 0 97.4kb 97.4kb
yellow open auditlog-2023.11.03 dh3_2RF4S2er_RBolGUJsw 1 1 4004 0 1.8mb 1.8mb
yellow open auditlog-2023.10.27 zrjdJ9G1QqSD5a9ZqnxM_w 1 1 4 0 50.8kb 50.8kb
yellow open auditlog-2023.11.06 o2E_hK1HT8udnmcFZnaFaA 1 1 4026 0 2mb 2mb
yellow open auditlog-2023.10.26 FmIe2hVpSsWg-nBeylrIcg 1 1 16 0 120.6kb 120.6kb
green open opensearch_dashboards_sample_data_ecommerce BfDSPYLeSFigevBxGpAgjA 1 0 0 0 208b 208b

screenshot dev tools
screenshot dev tools1366×768 127 KB

4

Hi @Ashish

Have you tried looking for audit logs in the auditlog-2023.11.06 index? What kind of audit logs you couldn’t find?

5

I have created an index pattern in the OpenSearch Dashboards and use Discovery to see the raw data.

Can you please let me know where I can these audit log in OpenSearch application (means in which directory of opensearch application , I am looking at /var/log/opensearch directory but did not get any files related to audit logs) ?

6

Hi @Ashish
According to your configurations, your audit logs are stored in the OpenSearch index. In order to store it in the file, you need to change your audit log storage type as per the documentation below:

Please let me know if you have any questions.