The content field is missing in log ROR

driveirk · March 12, 2025, 11:12am

Hi all
Previously, the content field logged the request body.
Now, after updating the ROR plugin, this field is missing.
Can you advise how to restore it?
We were very surprised by its disappearance during an incident investigation.

Enterprise 1.56.0_es7.15.1 field “сontent” is present
Enterprise 1.60.0_es7.15.1 field “сontent” is not present

{“customer_id”: “6c4a385b-2ae8-4f02-a9cd-ef24addfb5b3”, “subscription_id”: “32d4073f-dc2f-4056-a868-842727c637cd”}

coutoPL · March 12, 2025, 5:19pm

Hi @driveirk

I cannot confirm the issue.
The content field is available only in case of the QueryAuditLogSerializer.

Could you please confirm you use it?
If so, please share the audit part from ReadonlyREST settings.

driveirk · March 12, 2025, 5:42pm

my config:

readonlyrest:
    audit_collector: true
    audit_serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer
    audit_index_template: "'.readonlyrest-audit'-yyyy-MM-dd"
    prompt_for_basic_auth: false
    response_if_req_forbidden: Wrong password or try clearing your browser cache
    audit:
      enabled: true
      outputs:
      - type: index
        cluster: ["http://1.1.1.:9201" , "http://2.2.2.2:9201", "http://3.3.3.3:9201" ]
        index_template: "'readonlyrest-xcs-access'-yyyy-MM-dd"

As I understand QueryAuditLogSerializer is used

coutoPL · March 12, 2025, 7:12pm

I guess you want to have two audit outputs: the remote cluster one and the local one.

The multi-output is supported only by the new audit configuration syntax.
You mix the old syntax with the new one.

It seems this is what you want:

readonlyrest:
    prompt_for_basic_auth: false
    response_if_req_forbidden: Wrong password or try clearing your browser cache
    audit:
      enabled: true # both audit outputs are enabled
      outputs:
      - type: index # local cluster index
        index_template: "'.readonlyrest-audit'-yyyy-MM-dd"
        serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer # we use the serializer with the "content" field in case of this output
      - type: index # remote clusters indices (the default serializer is used)
        cluster: ["http://1.1.1.:9201" , "http://2.2.2.2:9201", "http://3.3.3.3:9201" ] 
        index_template: "'readonlyrest-xcs-access'-yyyy-MM-dd"

For details, please see our documentation

driveirk · March 13, 2025, 9:27am

thanks, it’s work for mi