Audit log to optionally log executed queries
There are many cases where sensitive information is stored in ElasticSearch and there is a reason to give access to the data for some users, but still need to be able to detect malicious or unnecessary access.
Thus it would be good for audit log to also record the executed query on specific indices, so that users’ actions can be reviewed later. Also possibly, the amount of returned documents could be good to record.
There should be
a new multi value setting, “audit_include_query” which species that which indices’ queries are logged. The setting should support wildcards.
if there is a query to an index that matches a rule, the request body(which includes users’ query) would be included in the audit log
Considerations and possible side effects of the feature.
- Performance impact
- Log size
- Information security when using the feature
audit_include_query: ["bla-*", "sensitive-index", "*-personal" ]
Request body - and entry which would be added to audit log
Discussion about similar feature at the forum
Let’s do this?