Logging header value

hi,

Is there a way to capture values from custom header? I see that header values that are passed to elasticsearch calls are logged in ROR audit indices. But is there a way to capture the actual value also?

We have type ahead search services that will be called by multiple apps. Typically for calls involving NPI data, we log data separately. But because this is type ahead, we are trying to avoid any additional overhead within the application itself. So we wanted to add some kind of tracking that is transparent to application logic and capture it on ES end itself. So is there a way in ROR to capture the header value as well as its already capturing the passed header?

I was going through old forum posts and saw that there was an undocumented feature obfuscated_headers that was added. So I was wondering if there is something similar that is already available that will allow us to capture the header values as well for specific headers.

Thanks!

If you want to add a field to the JSON audit logs, you can create a custom serializer. All the headers are available for you in the request context.

https://github.com/beshu-tech/readonlyrest-docs/blob/master/elasticsearch.md#custom-audit-log-serializer.

With this you will be able to add new fields, customize existing ones, remove or remove any fields you don’t use.

If you are not confident in doing this on your own, we can definitely help, as a small custom development project.

hi @sscarduzio

Thanks for the feedback. Unfortunately our team does not have any Scala or Java developers. Since we are using FOSS version of both ES and ROR, I am not sure if there will be appetite on client side to fund this development externally :expressionless:

This is how the current flow is.
client app > our search service > es call.

I am thinking that we could probably explore using api_keys instead, but will need to include the host rule as well so that calls will only be authorized when coming through our servers where web service is hosted. Can we include both api_key and hosts rule in same ACL block?

Thanks!

Yeah sure, why not. Give it a try!