Skip to content

Commit

Permalink
Emit trace.id into audit logs (elastic#82849)
Browse files Browse the repository at this point in the history
since elastic#74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.
  • Loading branch information
pgomulka committed Jan 25, 2022
1 parent 51261d6 commit 63dfa1e
Show file tree
Hide file tree
Showing 5 changed files with 99 additions and 70 deletions.
5 changes: 5 additions & 0 deletions docs/changelog/82849.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pr: 82849
summary: Emit `trace.id` into audit logs
area: "Audit"
type: enhancement
issues: []
15 changes: 9 additions & 6 deletions x-pack/docs/en/security/auditing/event-types.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ When you are <<enable-audit-logging,auditing security events>>, a single client
request might generate multiple audit events, across multiple cluster nodes.
The common `request.id` attribute can be used to correlate the associated events.

Use the <<xpack-sa-lf-events-include,`xpack.security.audit.logfile.events.include`>>
Use the <<xpack-sa-lf-events-include,`xpack.security.audit.logfile.events.include`>>
setting in `elasticsearch.yml` to specify the kind of events you want to include
in the auditing output.

Expand Down Expand Up @@ -534,8 +534,8 @@ The following list shows attributes that are common to all audit event types:
In addition, if `event.type` equals <<security-config-change,`security_config_change`>>,
the `event.action` attribute takes one of the following values:
`put_user`, `change_password`, `put_role`, `put_role_mapping`,
`change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`,
`delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys` or
`change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`,
`delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys` or
`delete_privileges`.

`request.id` :: A synthetic identifier that can be used to correlate the events
Expand All @@ -557,9 +557,12 @@ show more details about the requesting client:
`transport` (request was received on the transport channel),
or `local_node` (the local node issued the request).
`opaque_id` :: The value of the `X-Opaque-Id` HTTP header (if present) of
the request associated with this event. This header can
be used freely by the client to mark API calls, as it has
no semantics in Elasticsearch.
the request associated with this event.
See more: <<x-opaque-id, `X-Opaque-Id` HTTP header - API conventions>>
`trace_id` :: The identifier extracted from the `traceparent` HTTP header
(if present) of the request associated with this event.
It allows to surface audit logs into the Trace Logs feature
of Elastic APM.
`x_forwarded_for` :: The verbatim value of the `X-Forwarded-For` HTTP request
header (if present) of the request associated with the
audit event. This header is commonly added by proxies
Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugin/core/src/main/config/log4j2.properties
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ appender.audit_rolling.layout.pattern = {\
%varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\
%varsNotEmpty{, "indices":%map{indices}}\
%varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\
%varsNotEmpty{, "trace.id":"%enc{%map{trace.id}}{JSON}"}\
%varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\
%varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\
%varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\
Expand Down Expand Up @@ -74,6 +75,7 @@ appender.audit_rolling.layout.pattern = {\
# "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal)
# "indices" the array of indices that the "action" is acting upon
# "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header
# "trace_id" an identifier conveyed by the part of "traceparent" request header
# "x_forwarded_for" the addresses from the "X-Forwarded-For" request header, as a verbatim string value (not an array)
# "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event
# "rule" name of the applied rule if the "origin.type" is "ip_filter"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
public static final String TRANSPORT_PROFILE_FIELD_NAME = "transport.profile";
public static final String RULE_FIELD_NAME = "rule";
public static final String OPAQUE_ID_FIELD_NAME = "opaque_id";
public static final String TRACE_ID_FIELD_NAME = "trace.id";
public static final String X_FORWARDED_FOR_FIELD_NAME = "x_forwarded_for";
// the fields below are used exclusively for "security_config_change" type of events, and show the configuration
// object taking effect; it could be creating a new, or updating an existing configuration
Expand Down Expand Up @@ -437,8 +438,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio
.withAuthentication(authentication)
.withRestOrigin(request)
.withRequestBody(request)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -466,8 +466,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio
.withAuthentication(authentication)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -486,8 +485,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportRequ
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -503,8 +501,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -523,8 +520,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext);
.withThreadContext(threadContext);
if (token instanceof ServiceAccountToken) {
logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName());
}
Expand All @@ -542,8 +538,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -561,8 +556,7 @@ public void authenticationFailed(String requestId, String action, TransportReque
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -580,8 +574,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext);
.withThreadContext(threadContext);
if (token instanceof ServiceAccountToken) {
logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName());
}
Expand Down Expand Up @@ -610,8 +603,7 @@ public void authenticationFailed(
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -630,8 +622,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -667,8 +658,7 @@ public void accessGranted(
.withAuthentication(authentication)
.withRestOrTransportOrigin(msg, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.with(authorizationInfo.asMap())
.build();
}
Expand Down Expand Up @@ -775,8 +765,7 @@ public void explicitIndexAccessEvent(
.withRequestId(requestId)
.withAuthentication(authentication)
.with(INDICES_FIELD_NAME, indices)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.with(authorizationInfo.asMap());
final InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext);
if (restAddress != null) {
Expand Down Expand Up @@ -821,8 +810,7 @@ public void accessDenied(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -837,8 +825,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -856,8 +843,7 @@ public void tamperedRequest(String requestId, String action, TransportRequest tr
.withRequestId(requestId)
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -886,8 +872,7 @@ public void tamperedRequest(String requestId, Authentication authentication, Str
.withRestOrTransportOrigin(transportRequest, threadContext)
.withAuthentication(authentication)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -905,8 +890,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand All @@ -923,8 +907,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress))
.with(TRANSPORT_PROFILE_FIELD_NAME, profile)
.with(RULE_FIELD_NAME, rule.toString())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -959,8 +942,7 @@ public void runAsGranted(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -996,8 +978,7 @@ public void runAsDenied(
.withRestOrTransportOrigin(transportRequest, threadContext)
.with(INDICES_FIELD_NAME, indices.orElse(null))
.with(authorizationInfo.asMap())
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -1025,8 +1006,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
.withRestOrigin(request)
.withRequestBody(request)
.withRequestId(requestId)
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.withThreadContext(threadContext)
.build();
}
}
Expand Down Expand Up @@ -1453,20 +1433,18 @@ LogEntryBuilder withRequestId(String requestId) {
return this;
}

LogEntryBuilder withOpaqueId(ThreadContext threadContext) {
final String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID_HTTP_HEADER);
if (opaqueId != null) {
logEntry.with(OPAQUE_ID_FIELD_NAME, opaqueId);
}
LogEntryBuilder withThreadContext(ThreadContext threadContext) {
setThreadContextField(threadContext, AuditTrail.X_FORWARDED_FOR_HEADER, X_FORWARDED_FOR_FIELD_NAME);
setThreadContextField(threadContext, Task.X_OPAQUE_ID_HTTP_HEADER, OPAQUE_ID_FIELD_NAME);
setThreadContextField(threadContext, Task.TRACE_ID, TRACE_ID_FIELD_NAME);
return this;
}

LogEntryBuilder withXForwardedFor(ThreadContext threadContext) {
final String xForwardedFor = threadContext.getHeader(AuditTrail.X_FORWARDED_FOR_HEADER);
if (xForwardedFor != null) {
logEntry.with(X_FORWARDED_FOR_FIELD_NAME, xForwardedFor);
private void setThreadContextField(ThreadContext threadContext, String threadContextFieldName, String auditLogFieldName) {
final String fieldValue = threadContext.getHeader(threadContextFieldName);
if (fieldValue != null) {
logEntry.with(auditLogFieldName, fieldValue);
}
return this;
}

LogEntryBuilder withAuthentication(Authentication authentication) {
Expand Down
Loading

0 comments on commit 63dfa1e

Please sign in to comment.