Version: SG FLX
Compliance

Search Guard configuration change tracking

Search Guard is able to monitor read- and write access to the Search Guard configuration index. This makes it possible to track which user has accessed the configuration information, and get notified about any changes immediately.

Enabling and disabling configuration change tracking

The elasticsearch configuration monitoring can be switched on an off by the following entry in elasticsearch.yml:

Name Description
searchguard.compliance.history.internal_config_enabled boolean, whether to enable or disable Search Guard configuration monitoring. Default: true

Audit log category

The Elasticsearch configuration events are logged in the COMPLIANCE_INTERNAL_CONFIG_READ and COMPLIANCE_INTERNAL_CONFIG_WRITE category.

Read Field reference

Format, timestamp and category attributes

Name Description
audit_format_version Audit log message format version, current: 3
audit_utc_timestamp UTC timestamp when the event was generated
audit_category Audit log category, COMPLIANCE_EXTERNAL_CONFIG for all events

Cluster and node attributes

Name Description
audit_cluster_name Name of the cluster this event was emitted on.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_elasticsearch_version The Elasticsearch version of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host address of the node where the event was generated.

Configuration attributes

Name Description
audit_trace_indices The index name used to read the config. May contain aliases or wildvards.
audit_trace_resolve_indices The index name used to read the config. May contain aliases or wildcards.
audit_trace_doc_id The configuration that has been read, one of internalusers, roles, rolesmapping, actiongroups, config
audit_request_body The configuration that has been read, as JSON string

Logged configuration

The audit_request_body contains the exact configuration settings the user has seen, for example:

{  
  "SGS_ALL_ACCESS":{  
     "readonly":true,
     "cluster_permissions":[  
        "UNLIMITED"
     ],
     "index_permissions": [
        "index_patterns": ["humanresources", "finance"],
        "allowed_actions": ["READ"]
        "fls": ["FirstName", "LastName"]
     ],
     "tenant_permissions": [
        ...
     ]
}

Since the JSON object is stored as String, the quotation marks are escaped in the original output. Depending on your JSON parser you might need to remove them first.

Write Field reference

Format, timestamp and category attributes

Name Description
audit_format_version Audit log message format version, current: 3
audit_utc_timestamp UTC timestamp when the event was generated
audit_category Audit log category, COMPLIANCE_EXTERNAL_CONFIG for all events

Cluster and node attributes

Name Description
audit_cluster_name Name of the cluster this event was emitted on.
audit_node_id The ID of the node where the event was generated.
audit_node_name The name of the node where the event was generated.
audit_node_elasticsearch_version The Elasticsearch version of the node where the event was generated.
audit_node_host_address The host address of the node where the event was generated.
audit_node_host_name The host address of the node where the event was generated.

Request attributes

Name Description
audit_request_origin The layer from which the event originated. One if TRANSPORT or REST.
audit_request_remote_address The address where the request came from.

User attributes

Name Description
audit_request_effective_user The username of the user that has changed the configuration

Index attributes

Name Description
audit_trace_indices Array, the index name(s) as contained in the request. Can contain wildcards, date patterns and aliases.
audit_trace_resolved_indices Array, the resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional.

Document and fields attributes

Name Description
audit_compliance_operation The operation on the configuration, can be one of CREATE, UPDATE or DELETE.
audit_trace_doc_id Name of the configuration that has changed, one of internalusers, roles, rolesmapping, actiongroups, config


Not what you were looking for? Try the search.