Version: SG FLX
Compliance
Search Guard configuration change tracking
Content
Search Guard is able to monitor read- and write access to the Search Guard configuration index. This makes it possible to track which user has accessed the configuration information, and get notified about any changes immediately.
Enabling and disabling configuration change tracking
The elasticsearch configuration monitoring can be switched on an off by the following entry in elasticsearch.yml:
Name | Description |
---|---|
searchguard.compliance.history.internal_config_enabled | boolean, whether to enable or disable Search Guard configuration monitoring. Default: true |
Audit log category
The Elasticsearch configuration events are logged in the COMPLIANCE_INTERNAL_CONFIG_READ
and COMPLIANCE_INTERNAL_CONFIG_WRITE
category.
Read Field reference
Format, timestamp and category attributes
Name | Description |
---|---|
audit_format_version | Audit log message format version, current: 3 |
audit_utc_timestamp | UTC timestamp when the event was generated |
audit_category | Audit log category, COMPLIANCE_EXTERNAL_CONFIG for all events |
Cluster and node attributes
Name | Description |
---|---|
audit_cluster_name | Name of the cluster this event was emitted on. |
audit_node_id | The ID of the node where the event was generated. |
audit_node_name | The name of the node where the event was generated. |
audit_node_elasticsearch_version | The Elasticsearch version of the node where the event was generated. |
audit_node_host_address | The host address of the node where the event was generated. |
audit_node_host_name | The host address of the node where the event was generated. |
Configuration attributes
Name | Description |
---|---|
audit_trace_indices | The index name used to read the config. May contain aliases or wildvards. |
audit_trace_resolve_indices | The index name used to read the config. May contain aliases or wildcards. |
audit_trace_doc_id | The configuration that has been read, one of internalusers , roles , rolesmapping , actiongroups , config |
audit_request_body | The configuration that has been read, as JSON string |
Logged configuration
The audit_request_body
contains the exact configuration settings the user has seen, for example:
{
"SGS_ALL_ACCESS":{
"readonly":true,
"cluster_permissions":[
"UNLIMITED"
],
"index_permissions": [
"index_patterns": ["humanresources", "finance"],
"allowed_actions": ["READ"]
"fls": ["FirstName", "LastName"]
],
"tenant_permissions": [
...
]
}
Since the JSON object is stored as String, the quotation marks are escaped in the original output. Depending on your JSON parser you might need to remove them first.
Write Field reference
Format, timestamp and category attributes
Name | Description |
---|---|
audit_format_version | Audit log message format version, current: 3 |
audit_utc_timestamp | UTC timestamp when the event was generated |
audit_category | Audit log category, COMPLIANCE_EXTERNAL_CONFIG for all events |
Cluster and node attributes
Name | Description |
---|---|
audit_cluster_name | Name of the cluster this event was emitted on. |
audit_node_id | The ID of the node where the event was generated. |
audit_node_name | The name of the node where the event was generated. |
audit_node_elasticsearch_version | The Elasticsearch version of the node where the event was generated. |
audit_node_host_address | The host address of the node where the event was generated. |
audit_node_host_name | The host address of the node where the event was generated. |
Request attributes
Name | Description |
---|---|
audit_request_origin | The layer from which the event originated. One if TRANSPORT or REST . |
audit_request_remote_address | The address where the request came from. |
User attributes
Name | Description |
---|---|
audit_request_effective_user | The username of the user that has changed the configuration |
Index attributes
Name | Description |
---|---|
audit_trace_indices | Array, the index name(s) as contained in the request. Can contain wildcards, date patterns and aliases. |
audit_trace_resolved_indices | Array, the resolved, concrete index name(s) affected by this request. Only logged if resolve_indices is true. Optional. |
Document and fields attributes
Name | Description |
---|---|
audit_compliance_operation | The operation on the configuration, can be one of CREATE , UPDATE or DELETE . |
audit_trace_doc_id | Name of the configuration that has changed, one of internalusers , roles , rolesmapping , actiongroups , config |