From 63dfa1e57302f6da5fbb3ea0bdbd3af6283e2c5d Mon Sep 17 00:00:00 2001 From: Przemyslaw Gomulka Date: Tue, 25 Jan 2022 11:56:51 +0100 Subject: [PATCH] Emit trace.id into audit logs (#82849) since #74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs. This commit adds trace.id into audit logging. --- docs/changelog/82849.yaml | 5 ++ .../en/security/auditing/event-types.asciidoc | 15 ++-- .../core/src/main/config/log4j2.properties | 2 + .../audit/logfile/LoggingAuditTrail.java | 82 +++++++------------ .../audit/logfile/LoggingAuditTrailTests.java | 65 ++++++++++++--- 5 files changed, 99 insertions(+), 70 deletions(-) create mode 100644 docs/changelog/82849.yaml diff --git a/docs/changelog/82849.yaml b/docs/changelog/82849.yaml new file mode 100644 index 0000000000000..4b3bdcc16fac2 --- /dev/null +++ b/docs/changelog/82849.yaml @@ -0,0 +1,5 @@ +pr: 82849 +summary: Emit `trace.id` into audit logs +area: "Audit" +type: enhancement +issues: [] diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 9601ac0090262..2f92ee66c0c40 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -6,7 +6,7 @@ When you are <>, a single client request might generate multiple audit events, across multiple cluster nodes. The common `request.id` attribute can be used to correlate the associated events. -Use the <> +Use the <> setting in `elasticsearch.yml` to specify the kind of events you want to include in the auditing output. @@ -534,8 +534,8 @@ The following list shows attributes that are common to all audit event types: In addition, if `event.type` equals <>, the `event.action` attribute takes one of the following values: `put_user`, `change_password`, `put_role`, `put_role_mapping`, -`change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, -`delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys` or +`change_enable_user`, `change_disable_user`, `put_privileges`, `create_apikey`, +`delete_user`, `delete_role`, `delete_role_mapping`, `invalidate_apikeys` or `delete_privileges`. `request.id` :: A synthetic identifier that can be used to correlate the events @@ -557,9 +557,12 @@ show more details about the requesting client: `transport` (request was received on the transport channel), or `local_node` (the local node issued the request). `opaque_id` :: The value of the `X-Opaque-Id` HTTP header (if present) of - the request associated with this event. This header can - be used freely by the client to mark API calls, as it has - no semantics in Elasticsearch. + the request associated with this event. + See more: <> +`trace_id` :: The identifier extracted from the `traceparent` HTTP header + (if present) of the request associated with this event. + It allows to surface audit logs into the Trace Logs feature + of Elastic APM. `x_forwarded_for` :: The verbatim value of the `X-Forwarded-For` HTTP request header (if present) of the request associated with the audit event. This header is commonly added by proxies diff --git a/x-pack/plugin/core/src/main/config/log4j2.properties b/x-pack/plugin/core/src/main/config/log4j2.properties index 1c7e311b5634a..e9165494c2a0d 100644 --- a/x-pack/plugin/core/src/main/config/log4j2.properties +++ b/x-pack/plugin/core/src/main/config/log4j2.properties @@ -35,6 +35,7 @@ appender.audit_rolling.layout.pattern = {\ %varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\ %varsNotEmpty{, "indices":%map{indices}}\ %varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\ + %varsNotEmpty{, "trace.id":"%enc{%map{trace.id}}{JSON}"}\ %varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\ %varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\ %varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\ @@ -74,6 +75,7 @@ appender.audit_rolling.layout.pattern = {\ # "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal) # "indices" the array of indices that the "action" is acting upon # "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header +# "trace_id" an identifier conveyed by the part of "traceparent" request header # "x_forwarded_for" the addresses from the "X-Forwarded-For" request header, as a verbatim string value (not an array) # "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event # "rule" name of the applied rule if the "origin.type" is "ip_filter" diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java index d8d5cfc1d6203..1a101c618e160 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java @@ -172,6 +172,7 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener { public static final String TRANSPORT_PROFILE_FIELD_NAME = "transport.profile"; public static final String RULE_FIELD_NAME = "rule"; public static final String OPAQUE_ID_FIELD_NAME = "opaque_id"; + public static final String TRACE_ID_FIELD_NAME = "trace.id"; public static final String X_FORWARDED_FOR_FIELD_NAME = "x_forwarded_for"; // the fields below are used exclusively for "security_config_change" type of events, and show the configuration // object taking effect; it could be creating a new, or updating an existing configuration @@ -437,8 +438,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio .withAuthentication(authentication) .withRestOrigin(request) .withRequestBody(request) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -466,8 +466,7 @@ public void authenticationSuccess(String requestId, Authentication authenticatio .withAuthentication(authentication) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -486,8 +485,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportRequ .withRequestId(requestId) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -503,8 +501,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) { .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -523,8 +520,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St .withRequestId(requestId) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext); + .withThreadContext(threadContext); if (token instanceof ServiceAccountToken) { logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName()); } @@ -542,8 +538,7 @@ public void authenticationFailed(String requestId, RestRequest request) { .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -561,8 +556,7 @@ public void authenticationFailed(String requestId, String action, TransportReque .withRequestId(requestId) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -580,8 +574,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext); + .withThreadContext(threadContext); if (token instanceof ServiceAccountToken) { logEntryBuilder.with(SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) token).getTokenName()); } @@ -610,8 +603,7 @@ public void authenticationFailed( .withRequestId(requestId) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -630,8 +622,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -667,8 +658,7 @@ public void accessGranted( .withAuthentication(authentication) .withRestOrTransportOrigin(msg, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .with(authorizationInfo.asMap()) .build(); } @@ -775,8 +765,7 @@ public void explicitIndexAccessEvent( .withRequestId(requestId) .withAuthentication(authentication) .with(INDICES_FIELD_NAME, indices) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .with(authorizationInfo.asMap()); final InetSocketAddress restAddress = RemoteHostHeader.restRemoteAddress(threadContext); if (restAddress != null) { @@ -821,8 +810,7 @@ public void accessDenied( .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) .with(authorizationInfo.asMap()) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -837,8 +825,7 @@ public void tamperedRequest(String requestId, RestRequest request) { .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -856,8 +843,7 @@ public void tamperedRequest(String requestId, String action, TransportRequest tr .withRequestId(requestId) .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -886,8 +872,7 @@ public void tamperedRequest(String requestId, Authentication authentication, Str .withRestOrTransportOrigin(transportRequest, threadContext) .withAuthentication(authentication) .with(INDICES_FIELD_NAME, indices.orElse(null)) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -905,8 +890,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .with(TRANSPORT_PROFILE_FIELD_NAME, profile) .with(RULE_FIELD_NAME, rule.toString()) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -923,8 +907,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(inetAddress)) .with(TRANSPORT_PROFILE_FIELD_NAME, profile) .with(RULE_FIELD_NAME, rule.toString()) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -959,8 +942,7 @@ public void runAsGranted( .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) .with(authorizationInfo.asMap()) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -996,8 +978,7 @@ public void runAsDenied( .withRestOrTransportOrigin(transportRequest, threadContext) .with(INDICES_FIELD_NAME, indices.orElse(null)) .with(authorizationInfo.asMap()) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -1025,8 +1006,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq .withRestOrigin(request) .withRequestBody(request) .withRequestId(requestId) - .withOpaqueId(threadContext) - .withXForwardedFor(threadContext) + .withThreadContext(threadContext) .build(); } } @@ -1453,20 +1433,18 @@ LogEntryBuilder withRequestId(String requestId) { return this; } - LogEntryBuilder withOpaqueId(ThreadContext threadContext) { - final String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID_HTTP_HEADER); - if (opaqueId != null) { - logEntry.with(OPAQUE_ID_FIELD_NAME, opaqueId); - } + LogEntryBuilder withThreadContext(ThreadContext threadContext) { + setThreadContextField(threadContext, AuditTrail.X_FORWARDED_FOR_HEADER, X_FORWARDED_FOR_FIELD_NAME); + setThreadContextField(threadContext, Task.X_OPAQUE_ID_HTTP_HEADER, OPAQUE_ID_FIELD_NAME); + setThreadContextField(threadContext, Task.TRACE_ID, TRACE_ID_FIELD_NAME); return this; } - LogEntryBuilder withXForwardedFor(ThreadContext threadContext) { - final String xForwardedFor = threadContext.getHeader(AuditTrail.X_FORWARDED_FOR_HEADER); - if (xForwardedFor != null) { - logEntry.with(X_FORWARDED_FOR_FIELD_NAME, xForwardedFor); + private void setThreadContextField(ThreadContext threadContext, String threadContextFieldName, String auditLogFieldName) { + final String fieldValue = threadContext.getHeader(threadContextFieldName); + if (fieldValue != null) { + logEntry.with(auditLogFieldName, fieldValue); } - return this; } LogEntryBuilder withAuthentication(Authentication authentication) { diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java index e1e55cd86f0ef..d630c80c06592 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java @@ -304,6 +304,9 @@ public void init() throws Exception { if (randomBoolean()) { threadContext.putHeader(Task.X_OPAQUE_ID_HTTP_HEADER, randomAlphaOfLengthBetween(1, 4)); } + if (randomBoolean()) { + threadContext.putHeader(Task.TRACE_ID, randomAlphaOfLength(32)); + } if (randomBoolean()) { threadContext.putHeader( AuditTrail.X_FORWARDED_FOR_HEADER, @@ -1319,6 +1322,7 @@ public void testAnonymousAccessDeniedTransport() throws Exception { indicesRequest(request, checkedFields, checkedArrayFields); restOrTransportOrigin(request, threadContext, checkedFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1356,6 +1360,7 @@ public void testAnonymousAccessDeniedRest() throws Exception { .put(LoggingAuditTrail.URL_PATH_FIELD_NAME, "_uri") .put(LoggingAuditTrail.URL_QUERY_FIELD_NAME, null); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -1388,6 +1393,7 @@ public void testAuthenticationFailed() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1415,6 +1421,7 @@ public void testAuthenticationFailedNoToken() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1462,6 +1469,7 @@ public void testAuthenticationFailedRest() throws Exception { checkedFields.put(LoggingAuditTrail.SERVICE_TOKEN_NAME_FIELD_NAME, ((ServiceAccountToken) authToken).getTokenName()); } opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -1505,6 +1513,7 @@ public void testAuthenticationFailedRestNoToken() throws Exception { .put(LoggingAuditTrail.URL_PATH_FIELD_NAME, "_uri") .put(LoggingAuditTrail.URL_QUERY_FIELD_NAME, params.isEmpty() ? null : "bar=baz"); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -1542,6 +1551,7 @@ public void testAuthenticationFailedRealm() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); } @@ -1586,6 +1596,7 @@ public void testAuthenticationFailedRealmRest() throws Exception { .put(LoggingAuditTrail.URL_PATH_FIELD_NAME, "_uri") .put(LoggingAuditTrail.URL_QUERY_FIELD_NAME, params.isEmpty() ? null : "_param=baz"); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); } @@ -1611,6 +1622,7 @@ public void testAccessGranted() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1631,6 +1643,7 @@ public void testAccessGranted() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1735,6 +1748,7 @@ public void testSystemAccessGranted() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); clearLog(); @@ -1762,6 +1776,7 @@ public void testSystemAccessGranted() throws Exception { authentication(authentication, checkedFields); restOrTransportOrigin(request, threadContext, checkedFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); if (index != null) { checkedArrayFields.put(LoggingAuditTrail.INDICES_FIELD_NAME, new String[] { index }); @@ -1798,6 +1813,7 @@ public void testAccessGrantedInternalSystemAction() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); } @@ -1822,6 +1838,7 @@ public void testAccessGrantedInternalSystemActionNonSystemUser() throws Exceptio restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1842,6 +1859,7 @@ public void testAccessGrantedInternalSystemActionNonSystemUser() throws Exceptio restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1879,6 +1897,7 @@ public void testAccessDenied() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1899,6 +1918,7 @@ public void testAccessDenied() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1937,6 +1957,7 @@ public void testTamperedRequestRest() throws Exception { .put(LoggingAuditTrail.URL_PATH_FIELD_NAME, "_uri") .put(LoggingAuditTrail.URL_QUERY_FIELD_NAME, params.isEmpty() ? null : "_param=baz"); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -1964,6 +1985,7 @@ public void testTamperedRequest() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -1993,6 +2015,7 @@ public void testTamperedRequestWithUser() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -2012,6 +2035,7 @@ public void testTamperedRequestWithUser() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -2043,6 +2067,7 @@ public void testConnectionDenied() throws Exception { .put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile) .put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all"); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -2081,6 +2106,7 @@ public void testConnectionGranted() throws Exception { .put(LoggingAuditTrail.TRANSPORT_PROFILE_FIELD_NAME, profile) .put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all"); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); } @@ -2112,6 +2138,7 @@ public void testRunAsGranted() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -2149,6 +2176,7 @@ public void testRunAsDenied() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -2204,6 +2232,7 @@ public void testAuthenticationSuccessRest() throws Exception { } authentication(authentication, checkedFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); @@ -2229,6 +2258,7 @@ public void testAuthenticationSuccessRest() throws Exception { } authentication(authentication, checkedFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap()); } @@ -2257,6 +2287,7 @@ public void testAuthenticationSuccessTransport() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); @@ -2276,6 +2307,7 @@ public void testAuthenticationSuccessTransport() throws Exception { restOrTransportOrigin(request, threadContext, checkedFields); indicesRequest(request, checkedFields, checkedArrayFields); opaqueId(threadContext, checkedFields); + traceId(threadContext, checkedFields); forwardedFor(threadContext, checkedFields); assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap()); } @@ -2682,21 +2714,30 @@ private static void authentication(Authentication authentication, MapBuilder checkedFields) { - final String opaqueId = threadContext.getHeader(Task.X_OPAQUE_ID_HTTP_HEADER); - if (opaqueId != null) { - checkedFields.put(LoggingAuditTrail.OPAQUE_ID_FIELD_NAME, opaqueId); - } else { - checkedFields.put(LoggingAuditTrail.OPAQUE_ID_FIELD_NAME, null); - } + setFieldFromThreadContext(threadContext, checkedFields, Task.X_OPAQUE_ID_HTTP_HEADER, LoggingAuditTrail.OPAQUE_ID_FIELD_NAME); + } + + private static void traceId(ThreadContext threadContext, MapBuilder checkedFields) { + setFieldFromThreadContext(threadContext, checkedFields, Task.TRACE_ID, LoggingAuditTrail.TRACE_ID_FIELD_NAME); } private static void forwardedFor(ThreadContext threadContext, MapBuilder checkedFields) { - final String forwardedFor = threadContext.getHeader(AuditTrail.X_FORWARDED_FOR_HEADER); - if (forwardedFor != null) { - checkedFields.put(LoggingAuditTrail.X_FORWARDED_FOR_FIELD_NAME, forwardedFor); - } else { - checkedFields.put(LoggingAuditTrail.X_FORWARDED_FOR_FIELD_NAME, null); - } + setFieldFromThreadContext( + threadContext, + checkedFields, + AuditTrail.X_FORWARDED_FOR_HEADER, + LoggingAuditTrail.X_FORWARDED_FOR_FIELD_NAME + ); + } + + private static void setFieldFromThreadContext( + ThreadContext threadContext, + MapBuilder checkedFields, + String threadContextFieldName, + String logFieldName + ) { + final String value = threadContext.getHeader(threadContextFieldName); + checkedFields.put(logFieldName, value); } private static void indicesRequest(