Clarify emit_request_body description for successfully authenticated requests #29912
Assignees
Labels
>docs
General docs changes
:Security/Audit
X-Pack Audit logging
Team:Docs
Meta label for docs team
Team:Security
Meta label for security team
Comments
|
Original comment by @jpcarey: ++ and there should be a section for "log all search requests" that provides an example. With the current documentation, it is not easily discovered how to do this. |
elasticmachine
added
:Security/Audit
|
[docs issue triage] Leaving open. This is still relevant. As of this writing, the documentation is now here: |
rjernst
added
Team:Docs
albertzaharovits
added a commit
that referenced
this issue
Jan 16, 2021
Audit log doc changes about: * the new security_config_change event type (main scope of this PR) * remove mentions of the 6.5 audit format changes (the JSON format) * mention the new archiving and rotation by size (in v8 only) * mention the request.id event attribute used to correlate audit events * mention that audit is only available on certain subscription levels * add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events) * move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only). Co-authored-by: Lisa Cawley [email protected] Relates #62916 Closes #29912
albertzaharovits
added a commit
to albertzaharovits/elasticsearch
that referenced
this issue
Jan 16, 2021
Audit log doc changes about: * the new security_config_change event type (main scope of this PR) * remove mentions of the 6.5 audit format changes (the JSON format) * mention the new archiving and rotation by size (in v8 only) * mention the request.id event attribute used to correlate audit events * mention that audit is only available on certain subscription levels * add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events) * move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only). Co-authored-by: Lisa Cawley [email protected] Relates elastic#62916 Closes elastic#29912
albertzaharovits
added a commit
that referenced
this issue
Jan 16, 2021
Audit log doc changes about: * the new security_config_change event type (main scope of this PR) * remove mentions of the 6.5 audit format changes (the JSON format) * mention the new archiving and rotation by size (in v8 only) * mention the request.id event attribute used to correlate audit events * mention that audit is only available on certain subscription levels * add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events) * move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only). Co-authored-by: Lisa Cawley [email protected] Relates #62916 Closes #29912
albertzaharovits
added a commit
to albertzaharovits/elasticsearch
that referenced
this issue
Jan 16, 2021
Audit log doc changes about: * the new security_config_change event type (main scope of this PR) * remove mentions of the 6.5 audit format changes (the JSON format) * mention the new archiving and rotation by size (in v8 only) * mention the request.id event attribute used to correlate audit events * mention that audit is only available on certain subscription levels * add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events) * move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only). Co-authored-by: Lisa Cawley [email protected] Relates elastic#62916 Closes elastic#29912
albertzaharovits
added a commit
that referenced
this issue
Jan 16, 2021
Audit log doc changes about: * the new security_config_change event type (main scope of this PR) * remove mentions of the 6.5 audit format changes (the JSON format) * mention the new archiving and rotation by size (in v8 only) * mention the request.id event attribute used to correlate audit events * mention that audit is only available on certain subscription levels * add an exhaustive audit event example list (because schema became too complex to explain in words 😢 given the new security_config_change events) * move the ignore policies are explained on a separate page (it was collocated with the logfile output since we had multiple outputs and the policies were specific the the logfile only). Co-authored-by: Lisa Cawley [email protected] Relates #62916 Closes #29912
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Original comment by @ppf2:
https://www.elastic.co/guide/en/x-pack/current/auditing.html is a multi-page document, if the user reads carefully, they will notice that
emit_request_bodyreally only works on 4 different event types:It's a fairly common use case for folks using emit_request_body to look at the request body for requests that are actually successful (eg. customer wanting to see what specific change a user made in their settings, or what specific queries they ran even though it is a request that has authenticated successfully).
By default, auditing does not include authentication_success as a default event type, so this is something the end user will have to explicitly add to the
events.includesetting in order to see the request body for these requests.To clarify this, I will suggest changing the current description of the
emit_request_bodysetting from:To:
The text was updated successfully, but these errors were encountered: