Skip to content

MinIO Audit Logs saved into ElasticSearch via WebHook

Cesar Celis Hernandez edited this page Dec 20, 2022 · 4 revisions

Objective:

To save audit logs in ElasticSearch via WebHook

Documentation:

Steps:

  1. Assuming ES has been already configured as Eco did in our DC for us, if not, then follow steps on how to get started in ES and get ES ready to start.
  1. Enable WebHook in MinIO via Environment Variables, I am not posting the user nor the password nor the host for security reasons:
$ export MINIO_AUDIT_WEBHOOK_ENABLE_TESTING="on"
$ export MINIO_AUDIT_WEBHOOK_ENDPOINT_TESTING="http://<USER>:<PASSWORD>@<HOST>:9200/lssdsd/asdasd"
$ export MINIO_AUDIT_WEBHOOK_AUTH_TOKEN_TESTING=""
$ export MINIO_ROOT_USER=minio
$ export MINIO_ROOT_PASSWORD=minio123
$ minio server /Volumes/data{1...4} --address :9000 --console-address :9001
MinIO Object Storage Server
Copyright: 2015-2022 MinIO, Inc.
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Version: RELEASE.2022-12-12T19-27-27Z (go1.19.4 darwin/amd64)

Status:         4 Online, 0 Offline. 
API: http://192.168.1.151:9000  http://127.0.0.1:9000                                   
RootUser: minio 
RootPass: minio123 
Console: http://192.168.1.151:9001 http://127.0.0.1:9001                  
RootUser: minio 
RootPass: minio123 

Command-line: https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
   $ mc alias set myminio http://192.168.1.151:9000 minio minio123

Documentation: https://min.io/docs/minio/linux/index.html
  1. Look at the index:
curl -u <USER>:<PASSWORD> -X GET "<HOST>:9200/lssdsd/_search?pretty" -H 'Content-Type: application/json' -d'
{
  "query": {
    "match_all": { }
  }
}
'

You should see:

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "lssdsd",
        "_type" : "asdasd",
        "_id" : "NC8uMIUBuuSsBbj2Wou5",
        "_score" : 1.0,
        "_source" : { }
      }
    ]
  }
}
  1. Create a Bucket:
$ mc alias set myminio http://192.168.1.151:9000 minio minio123
Added `myminio` successfully.
$ mc mb myminio/cesarfff
Bucket created successfully `myminio/cesarfff`.
  1. Look at the ES index once again and notice the audit logs are being saved and "PutBucket" is recorded:
{
  "took" : 526,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 3,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "lssdsd",
        "_type" : "asdasd",
        "_id" : "NC8uMIUBuuSsBbj2Wou5",
        "_score" : 1.0,
        "_source" : { }
      },
      {
        "_index" : "lssdsd",
        "_type" : "asdasd",
        "_id" : "FS8wMIUBuuSsBbj2u404",
        "_score" : 1.0,
        "_source" : {
          "version" : "1",
          "deploymentid" : "76a720c8-d4d8-4dfc-8737-ab5939510d67",
          "time" : "2022-12-20T15:39:38.024239Z",
          "event" : "",
          "trigger" : "incoming",
          "api" : {
            "name" : "GetBucketLocation",
            "bucket" : "probe-bucket-sign-ratf12l0gtew",
            "rx" : 0,
            "tx" : -1,
            "timeToResponse" : "0ns"
          },
          "remotehost" : "192.168.1.151",
          "requestID" : "17328A938C1C0B08",
          "userAgent" : "MinIO (darwin; amd64) minio-go/v7.0.34",
          "requestQuery" : {
            "location" : ""
          },
          "requestHeader" : {
            "Authorization" : "AWS4-HMAC-SHA256 Credential=minio/20221220/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=f69fc658b57c4be2869c94aeff74feef12bdd1ed9a2d985c4cff8b0e09bf90b1",
            "User-Agent" : "MinIO (darwin; amd64) minio-go/v7.0.34",
            "X-Amz-Content-Sha256" : "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "X-Amz-Date" : "20221220T153938Z"
          },
          "responseHeader" : {
            "Accept-Ranges" : "bytes",
            "Content-Length" : "333",
            "Content-Security-Policy" : "block-all-mixed-content",
            "Content-Type" : "application/xml",
            "Server" : "MinIO",
            "Strict-Transport-Security" : "max-age=31536000; includeSubDomains",
            "Vary" : "Origin,Accept-Encoding",
            "X-Amz-Request-Id" : "17328A938C1C0B08",
            "X-Content-Type-Options" : "nosniff",
            "X-Xss-Protection" : "1; mode=block"
          }
        }
      },
      {
        "_index" : "lssdsd",
        "_type" : "asdasd",
        "_id" : "Gi8wMIUBuuSsBbj23o2r",
        "_score" : 1.0,
        "_source" : {
          "version" : "1",
          "deploymentid" : "76a720c8-d4d8-4dfc-8737-ab5939510d67",
          "time" : "2022-12-20T15:39:47.14234Z",
          "event" : "",
          "trigger" : "incoming",
          "api" : {
            "name" : "PutBucket",
            "bucket" : "cesarfff",
            "rx" : 0,
            "tx" : -1,
            "timeToResponse" : "0ns"
          },
          "remotehost" : "192.168.1.151",
          "requestID" : "17328A95AB7DDCE0",
          "userAgent" : "MinIO (darwin; amd64) minio-go/v7.0.34 mc/RELEASE.2022-08-23T05-45-20Z",
          "requestHeader" : {
            "Authorization" : "AWS4-HMAC-SHA256 Credential=minio/20221220/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=566d1b59bf879f7cd4d8cd3ba6a4ba47669f0ba88d672dd7e1cef013195f7a41",
            "Content-Length" : "0",
            "User-Agent" : "MinIO (darwin; amd64) minio-go/v7.0.34 mc/RELEASE.2022-08-23T05-45-20Z",
            "X-Amz-Content-Sha256" : "UNSIGNED-PAYLOAD",
            "X-Amz-Date" : "20221220T153947Z"
          },
          "responseHeader" : {
            "Accept-Ranges" : "bytes",
            "Content-Length" : "0",
            "Content-Security-Policy" : "block-all-mixed-content",
            "Location" : "/cesarfff",
            "Server" : "MinIO",
            "Strict-Transport-Security" : "max-age=31536000; includeSubDomains",
            "Vary" : "Origin,Accept-Encoding",
            "X-Amz-Request-Id" : "17328A95AB7DDCE0",
            "X-Content-Type-Options" : "nosniff",
            "X-Xss-Protection" : "1; mode=block"
          }
        }
      }
    ]
  }
}
Clone this wiki locally