You can customize audit logs to capture query, user, and IP information.
Question: I can see which users logged into OpenSearch dashbaord from access logs, but how do I know which queries they ran?
Resolution: Follow the below 10 steps for your audit logs to include query, user and IP information.
-
Go to OpenSearch Dashboards > in the left hamburger menu, select Security
-
Select Audit logs
> under "General settings", click Configure
-
Under "Layer settings" > section "REST disabled categories", remove AUTHENTICATED
from the list
-
Under Attribute settings
, toggle to enable Request body
and Resolve indices
-
Click Save
-
Go back to the Audit logs
page > under "Compliance settings", click Configure
-
Toggle to enable Compliance logging
under section "Compliance mode"
-
Toggle to enable Internal config
under section "Config"
-
Disable Read metadata
under section "Read"
-
Click Save
Below is an example of the a log entry that will contain information on what query was run by which user:
{
"audit_cluster_name": "12345678910:test”,
"audit_rest_request_params": {
"index": “test_audit_test",
"pretty": "true"
},
"audit_node_name": “xxxxxxxxxxxxxxxxxxxxxx",
"audit_request_initiating_user": “test@amazon.com ",
"audit_rest_request_method": "GET",
"audit_category": "AUTHENTICATED",
"audit_request_origin": "REST",
"audit_request_body": "{\n \"aggs\": {\n \"movie titles\": {\n \"terms\": {\"field\": \"title\"}\n }\n },\n \"size\": 10\n}\n",
"audit_node_id": "“xxxxxxxxxxxxxxxxxxxxxx",
"audit_request_layer": "REST",
"audit_rest_request_path": “/test_audit_test/_search",
"@timestamp": "2024-02-21T12:24:18.142+00:00",
"audit_request_effective_user_is_admin": false,
"audit_format_version": 4,
"audit_request_remote_address": "<user_IP_address>",
"audit_rest_request_headers": {
"Transfer-Encoding": [
"chunked"
],
"Connection": [
"close"
],
"Host": [
"localhost "
],
"Content-Type": [
"application/json"
]
},
"audit_request_effective_user": “test@amazon.com "
}
Note: audit_request_body
contains the query, audit_request_effective_user
contains the username for the user that ran the query, and audit_request_remote_address
is the IP that the request originated from.
—— Reference ——
Audit logs settings in Amazon OpenSearch Service - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-settings