Remove index audit trail in favor of filebeat #29881
Comments
|
Original comment by @jaymode:
Let's make sure we take care of our users; we will need to create a filebeat module so that there is an easier transition for users of this feature. I did not see that stated anywhere in the issue.
Let's keep this discussion separate.
I do not see how/why we need to do this? The logfile needs to be human readable IMO and I do not find JSON docs to be as readable as a log message.
I think most users may be unaware of the limitations with the index audit implementation; this is something we see and know by looking at the implementation. |
|
Original comment by @tvernum:
We've generally taken the view (with strong support from the ingest team) that we need to move to structured logging in order to facilitate reliable log ingest. The audit log is already somewhat structured, since it print key/values with defined separators, but it's not quite there. For example, actions with embedded I would favour us having a fully structured output (even if it's just key-value pairs) and if we support that, then newline-delimetered JSON output would be quite simple to produce and would make the ingest module easier to build and maintain. It doesn't have to be JSON, but it does need to be:
And we're not doing XML! 😈 |
|
Original comment by @tvernum: Also to consider: How does It is currently handled differently between index and logfile on the expectation that indices have more disk space available than logs. But if we do this, then there is only 1 output method and we probably need to make |
|
Original comment by @jaymode: My concerns about JSON may be unfounded but agree that structure is important and its a well known format.
Actually, disk space was not the deciding factor for these; it was more about readability and being able to parse through the information in a log file. For the index, we have search capabilities and didn't care how many documents we output by default, since elasticsearch "you know, for search" :)
I am on the fence about this one. Until we have the ability to associate entries with one another, it might be necessary to know the request body in order to correlate various audit entries with one another. |
|
Original comment by @clintongormley:
The audit log could be a good place to test out a new structured log format. We should collaborate with the ES team to discuss how to go about the filebeat module. /cc @andrewkroh @tsg |
|
Original comment by @tvernum: Re My concern is that for some users the logfile is going to be the final output, and for some users the logfile is just a mechanism to feed events into Beats and on to their audit cluster. We probably need to do something to distiguish between users who want the log file to be usable in its own right (with less noise), and those who want to capture everything in order to send it off to ES. That might mean a compact vs full output, of more tweakable options, or 2 output formats ("human" vs "json"), but when we plan the details, we'll need to bear in mind that we will have at least 2 different sets of consumers of the audit file (humans and beats). |
@tvernum It looks to me that both audit trails use the same method to print the request content: So I don't think that there are two formats? In addition I think we should keep request as they are received, escaped and sanitized if only because requests can be malformed. I don't think we can get this field to a state where it will be indexed and searchable. |
Compare: The file based format (intentionally) only honours If we were to have a single, file based output format, then which of those two approaches should it follow? Presumably it would include all bodies, because a replacement for the index output ought to maintain full feature parity. But that would mean we are throwing out the reasons for not including all event bodies in the file output. I believe we need something that controls that behaviour. It could be two different output types (that both produce files, just with different formats & levels of detail), or it could be a setting that allows the administrator to control which events have their bodies emitted, but I don't want us to go with either of the two simplistic options:
|
|
@albertzaharovits has opened a issue to discuss the structured format #31046 |
This PR deprecates the index audit output. In general, the problem with the index audit output is that event indexing can be slower than the rate with which audit events are generated, especially during the daily rollovers or the rolling cluster upgrades. In this situation audit events will be lost which is a terrible failure situation for an audit system. Besides of the settings under the `xpack.security.audit.index` namespace, the `xpack.security.audit.outputs` setting has also been deprecated and will be removed in 7. Although explicitly configuring the logfile output does not touch any deprecation bits, this setting is made redundant in 7 so this PR deprecates it as well. Relates #29881
This commit removes the Index Audit Output type, following its deprecation in 6.7 by 8765a31. It also adds the migration notice (settings notice). In general, the problem with the index audit output is that event indexing can be slower than the rate with which audit events are generated, especially during the daily rollovers or the rolling cluster upgrades. In this situation audit events will be lost which is a terrible failure situation for an audit system. Besides of the settings under the `xpack.security.audit.index` namespace, the `xpack.security.audit.outputs` setting has also been deprecated and will be removed in 7. Although explicitly configuring the logfile output does not touch any deprecation bits, this setting is made redundant in 7 so this PR deprecates it as well. Relates #29881
|
The ES work has been accomplished across multiple PR, most recently #37671 and #37707 . |
|
Can we still index the .security_audit_log to a separate monitoring cluster (with license)? In what index is the audit data written? Not Filebeat I hope? |
|
@willemdh At Elastic we prefer to keep GitHub issues focused on the issues relating to developing a feature, and leave questions about how to use it to our forums. If you would like more information about how to ingest audit events into a remote cluster, please open a new topic on the forum. Thanks. |
Original comment by @albertzaharovits:
Right now Security has the capability to index the audit events trail on the local or a remote cluster.
I want to moot the removal of this in favor of filebeat.
The standing logging audit trail will remain the only auditing option. It could possibly be improved with a syslog appender.
This way, logging audit trail will handle the durability of the audit events, and we will leave search-ability to the user to do.
Given the overlapping of functionality with filebeat, the index auditing is more of a convenience functionality. More importantly, the asynchronicity of enqueuing audit events, shipping over the network and then indexing will make the failure-state-when-auditing-unavailable feature impractical in this case. Another feature, namely integrity-verification will also be tricky to implement, although, arguably, there's no clear solution for logging too (possibly ship events to syslog or Event Viewer and let them handle the integrity feature).
Another inconvenience is that we are indexing all the event's fields with fixed mappings, and the user cannot change this. The audit trail corpus is beefy, we should allow for indexing only a subset of fields with custom mappings.
Spice all this with the problem of permission around the audit index which is hard to get right in the remote cluster case.
Index audit trail has grown into a toy functionality which a security conscious user (presumably ones that enable audit logging in the first place) will want to stay away from.
TODO: In the process we ought to make audit events JSON docs.
CC @elastic/es-security
pinging @clintongormley as this is a xstack venture
The text was updated successfully, but these errors were encountered: