Audit log - logging the query

socket · July 25, 2017, 5:53am

Hi there,

Is there any way to log the actual search query in the audit log? I need to log every query coming from the end users, but after going through the docs don’t see any way to do this.

I know that X-pack may be able to do it, and slow logs can also be used for this, but it would be nice all the auditing info to be contained in a single record.

sscarduzio · July 25, 2017, 7:19am

Hi @socket! When you say the search query you mean the JSON body of the associated HTTP request?

socket · July 25, 2017, 8:14am

Hi,

Yes for example if I have the following query:

GET _search
{
“query”: {
“query_string”: {
“query”: “makale”
}
}
}

Would like to have “makale” logged in the audit log as the search term.