How to customize audit logs in OpenSearch to see which queries were run by users?

2 minute read

Content level: Advanced

You can customize audit logs to capture query, user, and IP information.

Question: I can see which users logged into OpenSearch dashbaord from access logs, but how do I know which queries they ran?

Resolution: Follow the below 10 steps for your audit logs to include query, user and IP information.

Go to OpenSearch Dashboards > in the left hamburger menu, select Security
Select Audit logs > under "General settings", click Configure
Under "Layer settings" > section "REST disabled categories", remove AUTHENTICATED from the list
Under Attribute settings, toggle to enable Request body and Resolve indices
Click Save
Go back to the Audit logs page > under "Compliance settings", click Configure
Toggle to enable Compliance logging under section "Compliance mode"
Toggle to enable Internal config under section "Config"
Disable Read metadata under section "Read"
Click Save

Below is an example of the a log entry that will contain information on what query was run by which user:

{
    "audit_cluster_name": "12345678910:test”,
    "audit_rest_request_params": {
        "index": “test_audit_test",
        "pretty": "true"
    },
    "audit_node_name": “xxxxxxxxxxxxxxxxxxxxxx",
    "audit_request_initiating_user": “test@amazon.com ",
    "audit_rest_request_method": "GET",
    "audit_category": "AUTHENTICATED",
    "audit_request_origin": "REST",
    "audit_request_body": "{\n  \"aggs\": {\n    \"movie titles\": {\n      \"terms\": {\"field\": \"title\"}\n    }\n  },\n  \"size\": 10\n}\n",
    "audit_node_id": "“xxxxxxxxxxxxxxxxxxxxxx",
    "audit_request_layer": "REST",
    "audit_rest_request_path": “/test_audit_test/_search",
    "@timestamp": "2024-02-21T12:24:18.142+00:00",
    "audit_request_effective_user_is_admin": false,
    "audit_format_version": 4,
    "audit_request_remote_address": "<user_IP_address>",
    "audit_rest_request_headers": {
        "Transfer-Encoding": [
            "chunked"
        ],
        "Connection": [
            "close"
        ],
        "Host": [
            "localhost "
        ],
        "Content-Type": [
            "application/json"
        ]
    },
    "audit_request_effective_user": “test@amazon.com "
}

Note: audit_request_body contains the query, audit_request_effective_user contains the username for the user that ran the query, and audit_request_remote_address is the IP that the request originated from.

—— Reference ——
Audit logs settings in Amazon OpenSearch Service - https://docs.aws.amazon.com/opensearch-service/latest/developerguide/audit-logs.html#audit-log-settings

Topics

Analytics Serverless

Relevant content

How to e-mail OpenSearch reports and dashboards via opensearch-reporting-cli
EXPERT
Sohaib Katariwala
published 2 months ago
How to Analyze your AWS IoT Logs with Standard SQL queries
EXPERT
Charlyscott237
published 6 months ago
How to view consolidated log from multiple log streams generated from an AWS Mainframe Modernization application?
EXPERT
Souma Suvra Ghosh
published 3 months ago
which services used to implement log user events
nam
asked 10 months ago
Limiting Which EC2 Instances a Users Can See
Accepted Answer
TK
asked 2 years ago
Cannot decide which service should be used to log user activity
Pascual
asked a year ago
How do I assign read permissions to users who access Amazon Cognito’s user pools with OpenSearch?
AWS OFFICIALUpdated 9 months ago
How do I know which user made a particular change to my AWS infrastructure?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot slow logs in Amazon OpenSearch Service?
AWS OFFICIALUpdated 3 years ago
How do I activate audit logs in OpenSearch Service?
AWS OFFICIALUpdated 10 months ago