Audit logging question in 1.16.7


#1

Hello, I’m working on trying out the new audit logging feature. The relevant portion of my elasticsearch.yml file looks like:

 readonlyrest:
    audit_collector: true
    access_control_rules:
    - name: "Block 1 - Allowing anything from localhost"
      hosts: [127.0.0.1]
    - name: "Block 2 - Other hosts can only read certain indices"
      actions: ["indices:data/read/*"]

All it’s doing is allowing all traffic from localhost, and permitting read only traffic from other hosts. I’ve added the readonlyrest.audit_collector: true parameter, but I see no “readonlyrest_audit-YYYY-MM-DD” type indexes being created when I interact with the server. Is there any other configuration I need to do?

I’m running a single node of ES 5.4.3 and my plugin version is:

"plugins": [
{
"name": "readonlyrest",
"version": "1.16.7",
"description": "Safely expose Elasticsearch REST API",
"classname": "org.elasticsearch.plugin.readonlyrest.es.ReadonlyRestPlugin",
"has_native_controller": false
}
]

I also tried adding an explicit “verbosity” level to each of my two blocks, both set to “info” and got no results.


(Simone Scarduzio) #2

Hi @hijakk , thanks for reporting, I found an issue with the new settings handling.

Try with this new build:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.8-pre1/readonlyrest-1.16.8-pre1_es5.4.3.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20170712/eu-west-1/s3/aws4_request&X-Amz-Date=20170712T074609Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=1547cb55f44cdef56f8e10f3607ac62a1083ffe5e69391b3430911db392ef328

If you find other issues, don’t hesitate to follow up.


#3

Hi @sscarduzio, I’ve tried grabbing and installing this build but I’m still not getting any ROR audit log output to an index. My ROR config block currently looks like:

readonlyrest:
    audit_collector: true
    access_control_rules:
    - name: "Block 1 - Allowing anything from localhost"
      hosts: [127.0.0.1]
      verbosity: "info"
    - name: "Block 2 - Other hosts can only read certain indices"
      actions: ["indices:data/read/*"]
      verbosity: "info"

Would turning on debug log settings as described at https://readonlyrest.com/documentation/index.html#Rules--Rules--Audit_&_Troubleshooting--Troubleshooting help track down the issue?
Thank you!


(Simone Scarduzio) #4

Impressive, I tried this out manually and discovered a security exception from the simple act of serializing a hashmap to JSON. That’s because Jackson library uses reflection for that (…).

Obviously this doesn’t happen running ROR in my IDE, so I didn’t catch this bug. :confused:

Looks like I have to re-release this release. :no_good:

This is the fixed version: https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.16.8-pre2/readonlyrest-1.16.8-pre2_es5.4.3.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20170713/eu-west-1/s3/aws4_request&X-Amz-Date=20170713T085614Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=6e2892b4500aa808a1752efef6e3286e26444c0525e7ac6b900e0dc65c7c6c17


#5

That did it, I’ve got a readonlyrest_audit-2017-07-13 index now. Thank you! I was asked to set up logging for number of users/etc hitting a demo system I’d set up and this functionality got released the day after my initial setup was done, so it couldn’t have been better timing :slight_smile: