How to customize audit logs in OpenSearch to see which queries were run by users?

2 minute read
Content level: Advanced

You can customize audit logs to capture query, user, and IP information.

Question: I can see which users logged into OpenSearch dashbaord from access logs, but how do I know which queries they ran?

Resolution: Follow the below 10 steps for your audit logs to include query, user and IP information.

  1. Go to OpenSearch Dashboards > in the left hamburger menu, select Security

  2. Select Audit logs > under "General settings", click Configure

  3. Under "Layer settings" > section "REST disabled categories", remove AUTHENTICATED from the list

  4. Under Attribute settings, toggle to enable Request body and Resolve indices

  5. Click Save

  6. Go back to the Audit logs page > under "Compliance settings", click Configure

  7. Toggle to enable Compliance logging under section "Compliance mode"

  8. Toggle to enable Internal config under section "Config"

  9. Disable Read metadata under section "Read"

  10. Click Save


Below is an example of the a log entry that will contain information on what query was run by which user:

    "audit_cluster_name": "12345678910:test”,
    "audit_rest_request_params": {
        "index": “test_audit_test",
        "pretty": "true"
    "audit_node_name": “xxxxxxxxxxxxxxxxxxxxxx",
    "audit_request_initiating_user": “ ",
    "audit_rest_request_method": "GET",
    "audit_category": "AUTHENTICATED",
    "audit_request_origin": "REST",
    "audit_request_body": "{\n  \"aggs\": {\n    \"movie titles\": {\n      \"terms\": {\"field\": \"title\"}\n    }\n  },\n  \"size\": 10\n}\n",
    "audit_node_id": "“xxxxxxxxxxxxxxxxxxxxxx",
    "audit_request_layer": "REST",
    "audit_rest_request_path": “/test_audit_test/_search",
    "@timestamp": "2024-02-21T12:24:18.142+00:00",
    "audit_request_effective_user_is_admin": false,
    "audit_format_version": 4,
    "audit_request_remote_address": "<user_IP_address>",
    "audit_rest_request_headers": {
        "Transfer-Encoding": [
        "Connection": [
        "Host": [
            "localhost "
        "Content-Type": [
    "audit_request_effective_user": “ "


Note: audit_request_body contains the query, audit_request_effective_user contains the username for the user that ran the query, and audit_request_remote_address is the IP that the request originated from.


—— Reference ——
Audit logs settings in Amazon OpenSearch Service -

profile pictureAWS
Cathy W
published 2 months ago1105 views