Audit Log: Index request_body, and store as text · elastic/elasticsearch#29739

(1 comment) (0 reactions) (0 assignees)Java (76,700 stars) (25,882 forks)batch import

:Security/Audit>enhancementTeam:Securityhelp wanted

Description

Original comment by @cwurm:

Currently, if a user enables logging the request_body it is stored as a keyword, and not indexed. I believe it should be a text and indexed, so it can be searched.

I hit on this when trying to find the request Kibana had made to fill a dashboard with data, and found what I had assumed would be simple unexpectedly hard. There's many requests logged even on a simple setup (10 requests per second with plain Kibana is normal) just looking through the most recent ones often doesn't work well. Search would help.

Also, if I want to look at all instances of this dashboard being run I'd need to filter on request_body.

I think this would be in line with the expected use of turning on full request logging: Being able to quickly find specific queries is a vital part of that, e.g. when trying to determine how often a specific query was run, and by whom.

Contributor guide

Tech stack: java
Domain: backenddatabase
Issue type: feature
Difficulty: 3
Estimated time: 1-3 hours
Activity status: stale
Clarity: clear
Prerequisites: Elasticsearch mappingsJava
Newbie friendliness: 45
Research direction: The change involves modifying the audit log index mapping to store request body as indexed text instead of non indexed keyword. Look for the audit log index template or mapping definition in the Elasticsearch codebase, likely in the x pack plugin. Ensure that the field is indexed to allow search. No existing PRs are linked; the issue has been open since 2017.