elasticsearch_0">【elasticsearch】慢查询替代查询审计的尝试

使用了es有两年了，突然发现一个，es没有查询审计日志，某个用户查询了某个索引的审计。
找了官方文档和社区的回复都是说使用slow log替代慢查询。
尝试一下。

参考链接1：https://discuss.elastic.co/t/does-elasticsearch-capture-audit-logs-for-query-dsl-eql-and-sql-or-not/339398/8
参考链接2：https://www.elastic.co/guide/en/elasticsearch/reference/7.17/auditing-search-queries.html

前置条件

elasticsearch： 7.17.13
操作系统：linux7.9
es加密配置，只有加密后才可以使用audit log

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

普通查询

 curl -u elastic:AAA320 localhost:9200/sq-20240506/_search

普通插入

curl -u elastic:AAA320 -H 'Content-Type: application/json' -X POST localhost:9200/sq-20240506/_doc/1 -d '
{
"firstname": "Krishna",
"lastname": "kumar"
}'

上述查询和插入没有任何slow log信息。

设置慢查询

这里设置trace的慢查询为0ms，会捕获所有查询。

curl -u elastic:AAA320 -H 'Content-Type: application/json'  -XPUT 'http://localhost:9200/_all/_settings?preserve_existing=true' -d '{"index.search.slowlog.threshold.fetch.debug" : "500ms","index.search.slowlog.threshold.fetch.info" : "800ms","index.search.slowlog.threshold.fetch.trace" : "0ms","index.search.slowlog.threshold.fetch.warn" : "1s","index.search.slowlog.threshold.query.debug" : "2s","index.search.slowlog.threshold.query.info" : "5s","index.search.slowlog.threshold.query.trace" : "0ms","index.search.slowlog.threshold.query.warn" : "10s"
}'

查看日志

慢查询日志，存放再es的日志文件夹中，elasticsearch_index_search_slowlog.log,这里可以看到TRACE级别的日志，可以看到分query和fetch两种，有节点信息、索引信息、分片以及耗时，但是我还是觉得这里缺少了查询用户，查询来源信息，目前还是无法满足我的实际排查需求。

] tailf elasticsearch_index_search_slowlog.log
[2024-05-06T16:33:29,528][TRACE][i.s.s.query              ] [node-1] [sq-20240506][0] took[179.4micros], took_millis[0], total_hits[1 hits], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{}], id[], 
[2024-05-06T16:33:29,529][TRACE][i.s.s.fetch              ] [node-1] [sq-20240506][0] took[3.3ms], took_millis[3], total_hits[1 hits], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{}], id[],

取消慢查询

curl -u elastic:AAA320 -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_all/_settings' -d '{"index.search.slowlog.threshold.fetch.debug": null,"index.search.slowlog.threshold.fetch.info": null,"index.search.slowlog.threshold.fetch.trace": null,"index.search.slowlog.threshold.fetch.warn": null,"index.search.slowlog.threshold.query.debug": null,"index.search.slowlog.threshold.query.info": null,"index.search.slowlog.threshold.query.trace": null,"index.search.slowlog.threshold.query.warn": null
}'