Audit mode for RoR


#1

Hi,

I’d like to configure RoR plugin 1.16.16.for ES 5.6.8 to get only access log to ES ( via kibana and directly ).
In my readonlyrest.yml:
readonlyrest:
audit_collector: true

On ES starting, Readonly REST plugin was loaded but no readonlyrest_audit indices created.
Is it possible to define “audit mode” only?

Thanks in advance


(Simone Scarduzio) #2

Hi @ludaca!

Your use case makes sense: if you want ROR just for auditing, create a single rules block that allows anything:

readonlyrest:
    
    audit_collector: true
    
    access_control_rules:

    - name: passthrough
      type: allow 

#3

Hi Simone,
You helped me a lot!
It started to create indices readonlyrest_audit-YYYY-MM-DD
Thank you


#4

Hi Simone,
We had some testing and it seems fine,
but we want to do some adjustments with audit results.

For example, we want to audit the whole query.

GET /customer/_search
{
“query” : { “match” : { “name” : “ben” } }
}}

now we can see just: "GET /customer/_search"
without: " “query” : { “match” : { “name” : “ben” } } "

How can we do it ?

Json resu
{
"_index": “readonlyrest_audit-2018-04-15”,
"_type": “ror_audit_evt”,
"_id": “1155540087-1697546287#202362”,
"_version": 1,
"_score": 9.832355,
"_source": {
“error_message”: null,
“headers”: [
“Connection”,
“content-length”,
“content-type”,
“Host”,
“x-forwarded-for”,
“x-forwarded-host”,
“x-forwarded-port”,
“x-forwarded-proto”
],
“acl_history”: “[passthrough->[]]”,
“origin”: “10.xx.xxx.x.xx “final_state”: “ALLOWED”,
“task_id”: 202362,
“type”: “SearchRequest”,
“req_method”: “POST”,
“path”: “/customer/_search”,
“indices”: [
“customer”
],
@timestamp": “2018-04-15T12:10:09Z”,
“content_len_kb”: 0,
“error_type”: null,
“processingMillis”: 0,
“action”: “indices:data/read/search”,
“id”: “1155540087-1697546287#202362”,
“content_len”: 65,
“user”: null
},
“fields”: {
"@timestamp": [
1523794209000
]
},
“highlight”: {
“indices”: [
"@kibana-highlighted-field@[email protected]/[email protected]"
]
}
}

lt:


(Simone Scarduzio) #5

Is it so that you want also to log the whole search result? This feature is not yet available. Can you add it to the proposed features in the forum?


#6

OK,
I just clarify my intention.
We not need the search result of the query, but only the whole query text itself. (DML)
I understand that kind of audit is not possble yet ?


(Simone Scarduzio) #7

Oh I see, that’s way easier! You can create a custom serializer.


(Askids) #8

@sscarduzio, I think that this is good feature to be natively supported by ROR. This can be used by applications to determine what is being searched on. They can also use this info to build a frequent searches kind of feature. Moreover, you can further extend it to have customized logging for compliance. I think SG and x-Pack are offering similar features now.


(Simone Scarduzio) #9

Yeah I agree, there’s a ton of opportunities in creating compliance grade custom serializers. Especially with GDPR. Do you have this kind of requirement? I could develop one and you could test it.


(Askids) #10

We dont have anything like a GDPR requirement. But we do requirement to log info when user access NPPI data. So at this time, we are logging it based on user selecting data from search results. But we are still debating whether the queries itself should be logged or not. Eventually, we might skip the logging for type ahead, but implement it only for search. But if we have the queries being logged internally, then we dont have to worry about it :wink: So that is why I was mentioning that capturing full _search query may be a good feature that many people could potentially leverage out of the box.

Another related question. Currently, is the call to the custom serializer asynchronous? Whenever, you add this feature to ROR, I think that you may want to keep this asynchronous.

Also, other feature that you may want to consider supporting is the ability to log this and all ROR audit info to separate ES cluster altogether. Similar to the feature that X-pack provides, where you setup just a monitoring cluster and log the monitoring info from the multiple clusters to a separate monitoring clustering. So that way, we don’t bring additional load/data to the actual ES cluster itself.


(Simone Scarduzio) #11

This can be an extra setting.

Yes, we use BulkProcessor. We collect in memory up to 100 log entries before persisting it to index as a bulk insert.

This is really nice feature, because it’s such a sensible thing to do architecturally.


#12

Hello !
I have tried to implement this solution.
I created class MyCustomSerializer according to your example
and have changed YML as follow:
readonlyrest:
response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin
audit_serializer: MyCustomSerializer
audit_collector: true
access_control_rules:
- name: passthrough
type: allow

Then, I created new “records” and several times run _search on it…
Unfortunatelly I could not see any auditing records on file :
readonlyrest_audit-2018-05-13
What is wrong here ? Could you help, please ?Thank you in advance,
Luda


(Simone Scarduzio) #13

Well I would, but you provided no logs. :slight_smile:


#14

Hello,

Created java class according the example :

import tech.beshu.ror.ResponseContext;
import tech.beshu.ror.requestcontext.AuditLogSerializer;
import java.util.HashMap;
import java.util.Map;
public static class MySerializer implements AuditLogSerializer {
@Override
public Map<String, ?> createLoggableEntry(ResponseContext context) {
Map<String, Object> theMap = new HashMap<>();
theMap.put(“indices”, context.getRequestContext().getIndices());
return theMap;
}
}

This is my index for testing “customer”:
{
"_shards": {
“failed”: 0,
“skipped”: 0,
“successful”: 5,
“total”: 5
},
“hits”: {
“hits”: [
{
"_id": “22”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“name”: “Ben Doe”
},
"_type": “external”
},
{
"_id": “AWLIZ5I1Cdjjmrp_9SQW”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“name”: “For Audit QA”
},
"_type": “external”
},
{
"_id": “100”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“age”: 20,
“name”: “Id insert”
},
"_type": “external”
},
{
"_id": “AWLIZwesCdjjmrp_9SQS”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“name”: “Liron Test”
},
"_type": “external”
},
{
"_id": “AWNZKpVbZ1q1IOUIPleV”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“title”: “hello”
},
"_type": “test1”
},
{
"_id": “AWLIZyoLCdjjmrp_9SQU”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“name”: “\u05d1\u05d3\u05d9\u05e7\u05d4 \u05dc\u05d9\u05e8\u05d5\u05df”
},
"_type": “external”
},
{
"_id": “AWLIZ3wLCdjjmrp_9SQV”,
"_index": “customer”,
"_score": 1.0,
"_source": {
“name”: “For Audit”
},
"_type": “external”
}
],
“max_score”: 1.0,
“total”: 7
},
“timed_out”: false,
“took”: 1
}

On this index performed:
curl -XPOST http://xx.xx.xx.xx:9200/customer/test1 -d '{“title”: “hello”}'
and curl -XGET http://xx.xx.xx.xx:9200/customer/_search in loop of 200 iterations.

This is part of ES log:
[2018-05-13T10:39:39,352][INFO ][t.b.r.r.SerializationTool] Using custom serializer: MyCustomSerializer

[2018-05-13T10:41:04,427][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:21664262-62830043#398, TYP:ClusterHealthRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:cluster:monitor/health, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cluster/health, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:42:33,237][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:241060584-1026971099#530, TYP:ClusterStateRequest, CGR:N/A, USR:[
no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:43:21,790][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:121728359-334467052#610, TYP:ClusterStateRequest, CGR:N/A, USR:[n
o basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }

[2018-05-13T10:43:44,636][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:558958471-272334466#652, TYP:ClusterStateRequest, CGR:N/A, USR:[n
o basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }

[2018-05-13T10:44:26,313][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:888746055-1371821327#718, TYP:ClusterStateRequest, CGR:N/A, USR:[
no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:44:30,683][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:734942157-1784873231#732, TYP:ClusterStateRequest, CGR:N/A, USR:[
no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:44:51,562][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:1724284691-725932754#1226, TYP:ClusterStateRequest, CGR:N/A, USR:
[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:46:44,763][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:1771444219-156580984#1400, TYP:GetIndexRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:indices:admin/get, OA:10.244.0.0, IDX:customer, MET:GET, PTH:/customer, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }
[2018-05-13T10:47:01,105][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:165236752-1388696304#1426, TYP:GetIndexRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:indices:admin/get, OA:10.244.0.0, IDX:customer, MET:GET, PTH:/customer, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }
[2018-05-13T10:51:42,220][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:2046087892-1052709220#1850, TYP:ClusterStateRequest, CGR:N/A, USR
:[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]
] }
[2018-05-13T10:51:52,231][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:319797216-1699574084#1876, TYP:ClusterStateRequest, CGR:N/A, USR:
[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T10:52:11,290][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:1778442289-529086876#1913, TYP:GetIndexRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:indices:admin/get, OA:10.244.0.0, IDX:readonlyrest_audit-2018-05-13, MET:GET, PTH:/readonlyrest_audit-2018-05-13, CNT:<N/A>, HDR:Accept,content-length,Ho
st,User-Agent, HIS:[passthrough->[]] }
[2018-05-13T10:52:37,495][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:699388683-1718203599#1955, TYP:GetIndexRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:indices:admin/get, OA:10.244.0.0, IDX:readonlyrest_audit-2018-05-12, MET:GET, PTH:/readonlyrest_audit-2018-05-12, CNT:<N/A>, HDR:Accept,content-length,Ho
st,User-Agent, HIS:[passthrough->[]] }
[2018-05-13T10:52:45,958][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:1231285244-131051403#1973, TYP:GetIndexRequest, CGR:N/A, USR:[no
basic auth header], BRS:true, ACT:indices:admin/get, OA:10.244.0.0, IDX:readonlyrest_audit-2018-05-13, MET:GET, PTH:/readonlyrest_audit-2018-05-13, CNT:<N/A>, HDR:Accept,content-length,Ho
st,User-Agent, HIS:[passthrough->[]] }
[2018-05-13T10:53:23,912][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:574917889-1019452472#2033, TYP:ClusterStateRequest, CGR:N/A, USR:
[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]]
}
[2018-05-13T11:02:33,044][WARN ][o.e.d.r.RestController ] Content type detection for rest requests is deprecated. Specify the content type using the [Content-Type] header.
[2018-05-13T11:02:33,048][ERROR][t.b.r.e.RequestInfo ] Found an instance of CompositeIndicesRequest that could not be handled: report this as a bug immediately! IndexRequest
[2018-05-13T11:02:33,052][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:1687171110-944271539#2852, TYP:IndexRequest, CGR:N/A, USR:[no bas
ic auth header], BRS:true, ACT:indices:data/write/index, OA:10.244.0.0, IDX:customer, MET:POST, PTH:/customer/test1, CNT:<OMITTED, LENGTH=18>, HDR:Accept,Content-Length,Content-Type,Host,
User-Agent, HIS:[passthrough->[]] }
[2018-05-13T11:03:07,307][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:696538075-1781724351#2911, TYP:SearchRequest, CGR:N/A, USR:[no ba
sic auth header], BRS:true, ACT:indices:data/read/search, OA:10.244.0.0, IDX:customer, MET:GET, PTH:/customer/test1/_search, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[pas
sthrough->[]] }
[2018-05-13T11:03:29,781][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:423476447-1781724351#2956, TYP:SearchRequest, CGR:N/A, USR:[no ba
sic auth header], BRS:true, ACT:indices:data/read/search, OA:10.244.0.0, IDX:customer, MET:GET, PTH:/customer/test1/_search, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[pas
sthrough->[]] }

This is the readonlyrest_audit-2018-05-13 index:

  {
    "_shards": {
        "failed": 0,
        "skipped": 0,
        "successful": 5,
        "total": 5
    },
    "hits": {
        "hits": [
            {
                "_id": "2041423447-526821954#25324458",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:10Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/nodes/info",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "2041423447-526821954#25324458",
                    "indices": [],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_nodes/_local?filter_path=nodes.*.settings.tribe",
                    "processingMillis": 0,
                    "req_method": "GET",
                    "task_id": 25324458,
                    "type": "NodesInfoRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "454905553-408214284#25324463",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:10Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/health",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "454905553-408214284#25324463",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_cluster/health/.kibana?timeout=5s",
                    "processingMillis": 0,
                    "req_method": "GET",
                    "task_id": 25324463,
                    "type": "ClusterHealthRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "1184506844-931169816#25324464",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:10Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "indices:admin/get",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "1184506844-931169816#25324464",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/.kibana/_mappings",
                    "processingMillis": 1,
                    "req_method": "GET",
                    "task_id": 25324464,
                    "type": "GetIndexRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "275244239-1199073869#25324465",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:10Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "indices:data/read/search",
                    "content_len": 277,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "content-type",
                        "Host"
                    ],
                    "id": "275244239-1199073869#25324465",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/.kibana/_search?size=1000&from=0",
                    "processingMillis": 0,
                    "req_method": "POST",
                    "task_id": 25324465,
                    "type": "SearchRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "179600537-1604695717#25324467",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:10Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/state",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "179600537-1604695717#25324467",
                    "indices": [],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline",
                    "processingMillis": 0,
                    "req_method": "GET",
                    "task_id": 25324467,
                    "type": "ClusterStateRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "1782818272-2003881707#25324509",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:15Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/nodes/info",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "1782818272-2003881707#25324509",
                    "indices": [],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip",
                    "processingMillis": 1,
                    "req_method": "GET",
                    "task_id": 25324509,
                    "type": "NodesInfoRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "795396896-1327115231#25324516",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:15Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/health",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "795396896-1327115231#25324516",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_cluster/health/.kibana?timeout=5s",
                    "processingMillis": 0,
                    "req_method": "GET",
                    "task_id": 25324516,
                    "type": "ClusterHealthRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "785942685-1199073869#25324518",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:15Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "indices:data/read/search",
                    "content_len": 277,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "content-type",
                        "Host"
                    ],
                    "id": "785942685-1199073869#25324518",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/.kibana/_search?size=1000&from=0",
                    "processingMillis": 0,
                    "req_method": "POST",
                    "task_id": 25324518,
                    "type": "SearchRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "576126083-36071308#25324378",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:02Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "indices:data/read/mget",
                    "content_len": 62,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "content-type",
                        "Host"
                    ],
                    "id": "576126083-36071308#25324378",
                    "indices": [
                        ".kibana"
                    ],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_mget",
                    "processingMillis": 0,
                    "req_method": "POST",
                    "task_id": 25324378,
                    "type": "MultiGetRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            },
            {
                "_id": "1597374857-984061082#25324385",
                "_index": "readonlyrest_audit-2018-05-13",
                "_score": 1.0,
                "_source": {
                    "@timestamp": "2018-05-13T00:00:02Z",
                    "acl_history": "[passthrough->[]]",
                    "action": "cluster:monitor/state",
                    "content_len": 0,
                    "content_len_kb": 0,
                    "error_message": null,
                    "error_type": null,
                    "final_state": "ALLOWED",
                    "headers": [
                        "Authorization",
                        "Connection",
                        "Content-Length",
                        "Host"
                    ],
                    "id": "1597374857-984061082#25324385",
                    "indices": [],
                    "origin": "xx.xx.xx.xx",
                    "path": "/_cluster/settings?include_defaults=true&filter_path=**.script.engine.*.inline",
                    "processingMillis": 0,
                    "req_method": "GET",
                    "task_id": 25324385,
                    "type": "ClusterStateRequest",
                    "user": null
                },
                "_type": "ror_audit_evt"
            }
        ],
        "max_score": 1.0,
        "total": 116159
    },
    "timed_out": false,
    "took": 1
}

     

Please let me know if I missed something
Thanks in advance

(Simone Scarduzio) #15

So basically your serializer is being recognised, but it’s not being used? What if you put a System.out.println in the “createLoggableEntry” method? So we see if it is being called at all?


#16

Yes, I did it.
I have added the simple printing, for each request I could see in LOG lines like:
[2018-05-16T07:33:50,146][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:398415424-1657272325#3009, TYP:ClusterStateRequest, CGR:N/A, USR:[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }
In MyCustomSerializer.createLoggableEntry() :: Wed May 16 07:33:50 UTC 2018
But I still cannot see “auditing” records in ROR indices


#17

Hi,
According to your recommendation (Troubleshooting)
I have made grep for ACT: and found several lines like:
[2018-05-16T07:33:50,146][INFO ][t.b.r.a.ACL ] ALLOWED by { name: ‘passthrough’, policy: ALLOW} req={ ID:398415424-1657272325#3009, TYP:ClusterStateRequest, CGR:N/A, USR:[no basic auth header], BRS:true, ACT:cluster:monitor/state, OA:10.244.0.0, IDX:, MET:GET, PTH:/_cat/indices?v, CNT:<N/A>, HDR:Accept,content-length,Host,User-Agent, HIS:[passthrough->[]] }
Does it mean that I have toubles with “blocking” request ?
Maybe I could add to file
l4j2.properties
smth like :
logger.access_log_rolling.name = org.elasticsearch.plugin.readonlyrest.acl
logger.access_log_rolling.level = info
logger.access_log_rolling.appenderRef.access_log_rolling.ref = access_log_rolling
logger.access_log_rolling.additivity = false
Is could be helpful and add some information about "why this does not work as I want ?"
Could you suggest me how to solve it, please ?


(Maksym) #18

Could someone provide example? And steps on how to create CustomSerializer. I created one using provided example but it didn’t work. I need to add field that store exact user query.


(Simone Scarduzio) #19

Can you show us the code?


#20

We just added println to be sure it works, but we can’t see the
uery itselfq
more MyCustomSerializer.java

import tech.beshu.ror.commons.ResponseContext;
import tech.beshu.ror.requestcontext.AuditLogSerializer;

import java.util.Date;
import java.util.HashMap;
import java.util.Map;

public class MyCustomSerializer implements AuditLogSerializer {
       @Override
       public Map<String, ?> createLoggableEntry(ResponseContext context) {
              **System.out.println**("In MyCustomSerializer.createLoggableEntry() :: " + new Date().toString());
              Map<String, Object> theMap = new HashMap<>();
              theMap.put("indices", context.getRequestContext().getIndices());
              return theMap;
       }
}