Where to see audit log in OpenSearch Dashboards

Ashish · November 3, 2023, 10:08am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch - 2.11.0
OpenSearch Dashboards - 2.11.0

Describe the issue:
I have enabled audit log through OpenSerach-Dashbaords after that I have executed few queries through Dev Tools . Please let me know where I can see audit logs in OpenSearch-Dashboards.

Configuration:

In audit.yml file

• plugins.security.audit.config.disabled_rest_categories: NONE
• plugins.security.audit.config.disabled_transport_categories: NONE
• plugins.security.audit.config.enable_rest: true
• plugins.security.audit.config.enable_transport: true
• plugins.security.audit.config.log_request_body: true
• plugins.security.audit.config.ignore_users: NONE
• plugins.security.audit.config.resolve_bulk_requests: true

In opensearch.yml file

• plugins.security.audit.type: internal_opensearch
• plugins.security.audit.config.index: “'auditlog-'YYYY.MM.dd”

Relevant Logs or Screenshots:

pablo · November 3, 2023, 12:43pm

@Ashish The audit logs should appear in the security-auditlog-<date> index.

Ashish · November 6, 2023, 8:08am

I checked at security-auditlog-* . I did not get any logs,Please see the attached file

pablo · November 6, 2023, 8:57am

@Ashish I’ve just noticed that you’ve changed the index name for the audit logs.
According to your output from your other case, the below indices contain the audit logs.

yellow open auditlog-2023.10.20 fQhc4-jPQDytQtnS-1GHIw 1 1 1 0 12.7kb 12.7kb
yellow open auditlog-2023.11.02 5WZifgOfS1KBWeybUgat4g 1 1 13 0 97.4kb 97.4kb
yellow open auditlog-2023.11.03 dh3_2RF4S2er_RBolGUJsw 1 1 4004 0 1.8mb 1.8mb
yellow open auditlog-2023.10.27 zrjdJ9G1QqSD5a9ZqnxM_w 1 1 4 0 50.8kb 50.8kb
yellow open auditlog-2023.11.06 o2E_hK1HT8udnmcFZnaFaA 1 1 4026 0 2mb 2mb
yellow open auditlog-2023.10.26 FmIe2hVpSsWg-nBeylrIcg 1 1 16 0 120.6kb 120.6kb

Ashish · November 6, 2023, 9:42am

ok, but how can I am able to see that logs, Please let me know the location

pablo · November 6, 2023, 9:47am

@Ashish You can create an index pattern in the OpenSearch Dashboards and use Discovery to see the raw data.
Also, you can use Dashboards and Visualisations to aggregate the data from audit* indices.

Ashish · November 7, 2023, 4:58am

Yes , I am able to see audit log through Discovery but I am unable to see request body in audit logs for APIs which I have executed, even I have enabled the request body.

I have executed below API

PUT _ingest/pipeline/testing-audit
{
“description”: “This pipeline processes student data”,
“processors”: [
{
“set”: {
“description”: “Sets the graduation year to 2023”,
“field”: “grad_year”,
“value”: 2023
}
},
{
“set”: {
“description”: “Sets graduated to true”,
“field”: “graduated”,
“value”: true
}
},
{
“uppercase”: {
“field”: “name”
}
}
]
}

For above API got below Audit log

{
“_index”: “my-application_audit-2023.11.06”,
“_id”: “D4HfpIsBrdWEGs1p0Fy6”,
“_version”: 1,
“_score”: null,
“_source”: {
“audit_cluster_name”: “my-application”,
“audit_rest_request_params”: {
“pretty”: “true”
},
“audit_node_name”: “node-1”,
“audit_request_initiating_user”: “admin”,
“audit_rest_request_method”: “PUT”,
“audit_category”: “AUTHENTICATED”,
“audit_request_origin”: “REST”,
“audit_node_id”: “q104YQZ0Rp26UlUHvLwcmA”,
“audit_request_layer”: “REST”,
“audit_rest_request_path”: “/_ingest/pipeline/testing-audit”,
“@timestamp”: “2023-11-06T13:43:33.305+00:00”,
“audit_request_effective_user_is_admin”: false,
“audit_format_version”: 4,
“audit_request_remote_address”: “13.232.64.37”,
“audit_node_host_address”: “172.31.34.60”,
“audit_rest_request_headers”: {
“content-length”: [
“455”
],
“x-forwarded-proto”: [
“http”
],
“Connection”: [
“keep-alive”
],
“x-forwarded-port”: [
“22969”
],
“x-opaque-id”: [
“70365ea9-956c-44b5-bc6b-000ff1f7385d”
],
“Host”: [
“3.111.186.221:9500”
],
“securitytenant”: [
“user”
],
“x-forwarded-for”: [
“103.214.60.202”
],
“authorization”: [
“Basic YWRtaW46YWRtaW4=”
],
“x-forwarded-host”: [
“13.232.64.37:5601”
],
“x-opensearch-product-origin”: [
“opensearch-dashboards”
],
“content-type”: [
“application/json”
],
“user-agent”: [
“opensearch-js/2.3.1 (linux 5.14.0-284.30.1.el9_2.x86_64-x64; Node.js v18.16.0)”
]
},
“audit_request_effective_user”: “admin”,
“audit_node_host_name”: “172.31.34.60”
},
“fields”: {
“@timestamp”: [
“2023-11-06T13:43:33.305Z”
]
},
“highlight”: {
“audit_rest_request_path”: [
“/@opensearch-dashboards-highlighted-field@_ingest@/opensearch-dashboards-highlighted-field@/@opensearch-dashboards-highlighted-field@pipeline@/opensearch-dashboards-highlighted-field@/@opensearch-dashboards-highlighted-field@testing@/opensearch-dashboards-highlighted-field@-@opensearch-dashboards-highlighted-field@audit@/opensearch-dashboards-highlighted-field@”
]
},
“sort”: [
1699278213305
]
}

pablo · November 27, 2023, 1:38pm

@Ashish I don’t see that either. Did that ever work for you?

Topic		Replies	Views
Audit log not getting OpenSearch	8	364	November 17, 2023
Opensearch Audit log issue OpenSearch troubleshoot , feature-request	5	291	November 10, 2023
Disabling audit log OpenSearch	1	105	March 4, 2024
Log4j configuration for audit logging OpenSearch troubleshoot , configure	4	713	August 29, 2023
Can't see IIS windows logs on the OpenSearch Dashboards OpenDistro troubleshoot	1	816	February 3, 2022

Where to see audit log in OpenSearch Dashboards

Related Topics