Audit Elasticsearch search queries

ECE ECK Elastic Cloud Hosted Self Managed Serverless Unavailable

There is no audit event type specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.

Search queries are contained inside HTTP request bodies, however, and some audit events that are generated by the REST layer, on the coordinating node, can be toggled to output the request body to the audit log. Therefore, one must audit request bodies in order to audit search queries.

To make certain audit events include the request body, configure the following setting in Elasticsearch:

xpack.security.audit.logfile.events.emit_request_body: true

You can apply this setting through cluster update settings API, as described in Configure audit logging. Alternatively, you can modify elasticsearch.yml in all nodes and restart for the changes to take effect.

The request body is printed as an escaped JSON string value (RFC 4627) to the request.body event attribute.

Not all events contain the request.body attribute, even when the above setting is toggled. The ones that do are:

• authentication_success
• authentication_failed
• realm_authentication_failed
• tampered_request
• run_as_denied
• anonymous_access_denied

The request.body attribute is printed on the coordinating node only (the node that handles the REST request). Most of these event types are not included by default.

A good practical piece of advice is to add authentication_success to the event types that are audited (add it to the list in the xpack.security.audit.logfile.events.include), as this event type is not audited by default.