Skip to content

Instantly share code, notes, and snippets.

@kamauwashington

kamauwashington/opensearch-search-request-logging.md

Last active April 14, 2022 17:16
Show Gist options
  • Save kamauwashington/9cf4a4277d2a96da7fb6f94569de0fd9 to your computer and use it in GitHub Desktop.
Save kamauwashington/9cf4a4277d2a96da7fb6f94569de0fd9 to your computer and use it in GitHub Desktop.
Download ZIP
AWS OpenSearch Search Request Logging
Raw
opensearch-search-request-logging.md

AWS OpenSearch Search Request Logging

There may be rules and regulations for logging in your production environment, please consult with your web engineering, or infrastructure equivalent prior to logging in this fashion to prevent unwanted charges and or side-effects.

This one took some time to figure out, and the AWS documentation Monitoring audit logs in Amazon OpenSearch Service did not point directly to how to log inbound REST search requests to OpenSearch to CloudWatch. There wasn't much on the web either in terms of discussions, or questions on the matter, so I hope this helps someone 😃

Steps

  1. Enable Audit logs on [your-domain] in the AWS Console, or via REST, or via CLI
  2. Create a CloudWatch log group, or choose an existing one.
  3. Choose an access policy that contains the appropriate permissions, or create a policy
  4. Add "logs:CreateLogStream" to the $.Statement.Action of the policy if not present
    1. If using an existing policy, consult with the owner of the policy to determine if this action is already present and or if a new policy should be created for you
  5. In OpenSearch Dashboard go to the Security Plugin
  6. Configure General Settings
  7. Enable REST Layer
  8. Disable FAILED_LOGIN, MISSING_PRIVILEGES, GRANTED_PRIVILEGES unless of-course these are needed
  9. Disable Transport layer unless of-course this is needed
  10. Enable Request Body

Notes

  • It may be a good idea to ignore requests sent to _dashboard or any other paths that should be excluded from the logs to prevent overflow
  • {$.audit_rest_request_path = *_search} is an easy way to find the incoming the requests, though adding a custom header may be a better option to ensure that only valid searches are being pulled in the resultset

Sample request log record

{
    "audit_cluster_name": "111111111111:test-cluster",
    "audit_rest_request_params": {
        "index": "test"
    },
    "audit_node_name": "33b23f3f2e8e9607bc355b9c17cf21af",
    "audit_request_initiating_user": "prototype-user",
    "audit_rest_request_method": "GET",
    "audit_category": "AUTHENTICATED",
    "audit_request_origin": "REST",
    "audit_request_body": "YOUR SEARCH FILTER WOULD BE FOUND HERE AS TEXT vs JSON OBJECT",
    "audit_node_id": "4AIFR8dTTFuEkk9ce5Yd2w",
    "audit_request_layer": "REST",
    "audit_rest_request_path": "/test/_search",
    "@timestamp": "2022-04-14T02:24:05.539+00:00",
    "audit_request_effective_user_is_admin": false,
    "audit_format_version": 4,
    "audit_request_remote_address": "1.1.1.1",
    "audit_rest_request_headers": {
        "Accept": [
            "*/*"
        ],
        "Connection": [
            "close"
        ],
        "User-Agent": [
            "PostmanRuntime/7.28.4"
        ],
        "Host": [
            "search-chdxDWWhtdv3d2jxenfkdjq.us-east-1.es.amazonaws.com"
        ],
        "Accept-Encoding": [
            "gzip, deflate, br"
        ],
        "Cache-Control": [
            "no-cache"
        ],
        "Postman-Token": [
            "4d2342ca-0d38-44e0-8da6-2d8fd85f65d9"
        ],
        "Content-Length": [
            "1721"
        ],
        "Content-Type": [
            "application/json"
        ]
    },
    "audit_request_effective_user": "random-user"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment