Module org.elasticsearch.security
Class LoggingAuditTrail
java.lang.Object
org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
- All Implemented Interfaces:
ClusterStateListener,AuditTrail
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringprotected static final Setting.AffixSetting<List<String>> protected static final Setting.AffixSetting<List<String>> protected static final Setting.AffixSetting<List<String>> protected static final Setting.AffixSetting<List<String>> protected static final Setting.AffixSetting<List<String>> static final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final Stringstatic final StringFields inherited from interface org.elasticsearch.xpack.security.audit.AuditTrail
X_FORWARDED_FOR_HEADER -
Constructor Summary
ConstructorsConstructorDescriptionLoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) -
Method Summary
Modifier and TypeMethodDescriptionvoidaccessDenied(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) voidaccessGranted(String requestId, Authentication authentication, String action, TransportRequest msg, AuthorizationEngine.AuthorizationInfo authorizationInfo) voidanonymousAccessDenied(String requestId, String action, TransportRequest transportRequest) voidanonymousAccessDenied(String requestId, HttpPreRequest request) voidauthenticationFailed(String requestId, String action, TransportRequest transportRequest) voidauthenticationFailed(String requestId, String realm, AuthenticationToken token, String action, TransportRequest transportRequest) voidauthenticationFailed(String requestId, String realm, AuthenticationToken token, HttpPreRequest request) voidauthenticationFailed(String requestId, HttpPreRequest request) voidauthenticationFailed(String requestId, AuthenticationToken token, String action, TransportRequest transportRequest) voidauthenticationFailed(String requestId, AuthenticationToken token, HttpPreRequest request) voidauthenticationSuccess(String requestId, Authentication authentication, String action, TransportRequest transportRequest) voidauthenticationSuccess(RestRequest request) voidvoidconnectionDenied(InetSocketAddress inetAddress, String profile, SecurityIpFilterRule rule) voidconnectionGranted(InetSocketAddress inetAddress, String profile, SecurityIpFilterRule rule) TheAuditTrail.connectionGranted(InetSocketAddress, String, SecurityIpFilterRule)andAuditTrail.connectionDenied(InetSocketAddress, String, SecurityIpFilterRule)methods do not have a requestId because they related to a potentially long-lived TCP connection, not a single request.voidcoordinatingActionResponse(String requestId, Authentication authentication, String action, TransportRequest transportRequest, TransportResponse transportResponse) voidexplicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String[] indices, String requestName, InetSocketAddress remoteAddress, AuthorizationEngine.AuthorizationInfo authorizationInfo) This is a "workaround" method to log index "access_granted" and "access_denied" events for actions not tied to aTransportMessage, or when the connection is not 1:1, i.e.booleanname()static voidregisterSettings(List<Setting<?>> settings) voidrunAsDenied(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) voidrunAsDenied(String requestId, Authentication authentication, HttpPreRequest request, AuthorizationEngine.AuthorizationInfo authorizationInfo) voidrunAsGranted(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) voidtamperedRequest(String requestId, String action, TransportRequest transportRequest) voidtamperedRequest(String requestId, HttpPreRequest request) voidtamperedRequest(String requestId, Authentication authentication, String action, TransportRequest transportRequest)
-
Field Details
-
REST_ORIGIN_FIELD_VALUE
- See Also:
-
LOCAL_ORIGIN_FIELD_VALUE
- See Also:
-
TRANSPORT_ORIGIN_FIELD_VALUE
- See Also:
-
IP_FILTER_ORIGIN_FIELD_VALUE
- See Also:
-
SECURITY_CHANGE_ORIGIN_FIELD_VALUE
- See Also:
-
LOG_TYPE
- See Also:
-
TIMESTAMP
- See Also:
-
ORIGIN_TYPE_FIELD_NAME
- See Also:
-
ORIGIN_ADDRESS_FIELD_NAME
- See Also:
-
NODE_NAME_FIELD_NAME
- See Also:
-
NODE_ID_FIELD_NAME
- See Also:
-
HOST_ADDRESS_FIELD_NAME
- See Also:
-
HOST_NAME_FIELD_NAME
- See Also:
-
CLUSTER_NAME_FIELD_NAME
- See Also:
-
CLUSTER_UUID_FIELD_NAME
- See Also:
-
EVENT_TYPE_FIELD_NAME
- See Also:
-
EVENT_ACTION_FIELD_NAME
- See Also:
-
PRINCIPAL_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_BY_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_AS_FIELD_NAME
- See Also:
-
PRINCIPAL_REALM_FIELD_NAME
- See Also:
-
CROSS_CLUSTER_ACCESS_FIELD_NAME
- See Also:
-
PRINCIPAL_DOMAIN_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_BY_REALM_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_BY_DOMAIN_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_AS_REALM_FIELD_NAME
- See Also:
-
PRINCIPAL_RUN_AS_DOMAIN_FIELD_NAME
- See Also:
-
API_KEY_ID_FIELD_NAME
- See Also:
-
API_KEY_NAME_FIELD_NAME
- See Also:
-
SERVICE_TOKEN_NAME_FIELD_NAME
- See Also:
-
SERVICE_TOKEN_TYPE_FIELD_NAME
- See Also:
-
PRINCIPAL_ROLES_FIELD_NAME
- See Also:
-
AUTHENTICATION_TYPE_FIELD_NAME
- See Also:
-
REALM_FIELD_NAME
- See Also:
-
URL_PATH_FIELD_NAME
- See Also:
-
URL_QUERY_FIELD_NAME
- See Also:
-
REQUEST_METHOD_FIELD_NAME
- See Also:
-
REQUEST_BODY_FIELD_NAME
- See Also:
-
REQUEST_ID_FIELD_NAME
- See Also:
-
ACTION_FIELD_NAME
- See Also:
-
INDICES_FIELD_NAME
- See Also:
-
REQUEST_NAME_FIELD_NAME
- See Also:
-
TRANSPORT_PROFILE_FIELD_NAME
- See Also:
-
RULE_FIELD_NAME
- See Also:
-
OPAQUE_ID_FIELD_NAME
- See Also:
-
TRACE_ID_FIELD_NAME
- See Also:
-
X_FORWARDED_FOR_FIELD_NAME
- See Also:
-
PUT_CONFIG_FIELD_NAME
- See Also:
-
DELETE_CONFIG_FIELD_NAME
- See Also:
-
CHANGE_CONFIG_FIELD_NAME
- See Also:
-
CREATE_CONFIG_FIELD_NAME
- See Also:
-
INVALIDATE_API_KEYS_FIELD_NAME
- See Also:
-
NAME
- See Also:
-
EMIT_HOST_ADDRESS_SETTING
-
EMIT_HOST_NAME_SETTING
-
EMIT_NODE_NAME_SETTING
-
EMIT_NODE_ID_SETTING
-
EMIT_CLUSTER_NAME_SETTING
-
EMIT_CLUSTER_UUID_SETTING
-
INCLUDE_EVENT_SETTINGS
-
EXCLUDE_EVENT_SETTINGS
-
INCLUDE_REQUEST_BODY
-
SECURITY_CHANGE_ACTIONS
-
FILTER_POLICY_IGNORE_PRINCIPALS
-
FILTER_POLICY_IGNORE_REALMS
-
FILTER_POLICY_IGNORE_ROLES
-
FILTER_POLICY_IGNORE_INDICES
-
FILTER_POLICY_IGNORE_ACTIONS
-
-
Constructor Details
-
LoggingAuditTrail
-
-
Method Details
-
name
- Specified by:
namein interfaceAuditTrail
-
authenticationSuccess
- Specified by:
authenticationSuccessin interfaceAuditTrail
-
authenticationSuccess
public void authenticationSuccess(String requestId, Authentication authentication, String action, TransportRequest transportRequest) - Specified by:
authenticationSuccessin interfaceAuditTrail
-
anonymousAccessDenied
public void anonymousAccessDenied(String requestId, String action, TransportRequest transportRequest) - Specified by:
anonymousAccessDeniedin interfaceAuditTrail
-
anonymousAccessDenied
- Specified by:
anonymousAccessDeniedin interfaceAuditTrail
-
authenticationFailed
public void authenticationFailed(String requestId, AuthenticationToken token, String action, TransportRequest transportRequest) - Specified by:
authenticationFailedin interfaceAuditTrail
-
authenticationFailed
- Specified by:
authenticationFailedin interfaceAuditTrail
-
authenticationFailed
public void authenticationFailed(String requestId, String action, TransportRequest transportRequest) - Specified by:
authenticationFailedin interfaceAuditTrail
-
authenticationFailed
public void authenticationFailed(String requestId, AuthenticationToken token, HttpPreRequest request) - Specified by:
authenticationFailedin interfaceAuditTrail
-
authenticationFailed
public void authenticationFailed(String requestId, String realm, AuthenticationToken token, String action, TransportRequest transportRequest) - Specified by:
authenticationFailedin interfaceAuditTrail
-
authenticationFailed
public void authenticationFailed(String requestId, String realm, AuthenticationToken token, HttpPreRequest request) - Specified by:
authenticationFailedin interfaceAuditTrail
-
accessGranted
public void accessGranted(String requestId, Authentication authentication, String action, TransportRequest msg, AuthorizationEngine.AuthorizationInfo authorizationInfo) - Specified by:
accessGrantedin interfaceAuditTrail
-
explicitIndexAccessEvent
public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Authentication authentication, String action, String[] indices, String requestName, InetSocketAddress remoteAddress, AuthorizationEngine.AuthorizationInfo authorizationInfo) Description copied from interface:AuditTrailThis is a "workaround" method to log index "access_granted" and "access_denied" events for actions not tied to aTransportMessage, or when the connection is not 1:1, i.e. several audit events for an action associated with the same message. It is currently only used to audit the resolved index (alias) name for eachBulkItemRequestcomprised by aBulkShardRequest. We should strive to not use this and TODO refactor it out!- Specified by:
explicitIndexAccessEventin interfaceAuditTrail
-
accessDenied
public void accessDenied(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) - Specified by:
accessDeniedin interfaceAuditTrail
-
tamperedRequest
- Specified by:
tamperedRequestin interfaceAuditTrail
-
tamperedRequest
- Specified by:
tamperedRequestin interfaceAuditTrail
-
tamperedRequest
public void tamperedRequest(String requestId, Authentication authentication, String action, TransportRequest transportRequest) - Specified by:
tamperedRequestin interfaceAuditTrail
-
connectionGranted
public void connectionGranted(InetSocketAddress inetAddress, String profile, SecurityIpFilterRule rule) Description copied from interface:AuditTrailTheAuditTrail.connectionGranted(InetSocketAddress, String, SecurityIpFilterRule)andAuditTrail.connectionDenied(InetSocketAddress, String, SecurityIpFilterRule)methods do not have a requestId because they related to a potentially long-lived TCP connection, not a single request. For both Transport and Rest connections, a single connection granted/denied event is generated even if that connection is used for multiple Elasticsearch actions (potentially as different users)- Specified by:
connectionGrantedin interfaceAuditTrail
-
connectionDenied
public void connectionDenied(InetSocketAddress inetAddress, String profile, SecurityIpFilterRule rule) - Specified by:
connectionDeniedin interfaceAuditTrail
-
runAsGranted
public void runAsGranted(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) - Specified by:
runAsGrantedin interfaceAuditTrail
-
runAsDenied
public void runAsDenied(String requestId, Authentication authentication, String action, TransportRequest transportRequest, AuthorizationEngine.AuthorizationInfo authorizationInfo) - Specified by:
runAsDeniedin interfaceAuditTrail
-
runAsDenied
public void runAsDenied(String requestId, Authentication authentication, HttpPreRequest request, AuthorizationEngine.AuthorizationInfo authorizationInfo) - Specified by:
runAsDeniedin interfaceAuditTrail
-
coordinatingActionResponse
public void coordinatingActionResponse(String requestId, Authentication authentication, String action, TransportRequest transportRequest, TransportResponse transportResponse) - Specified by:
coordinatingActionResponsein interfaceAuditTrail
-
includeRequestBody
public boolean includeRequestBody() -
registerSettings
-
clusterChanged
- Specified by:
clusterChangedin interfaceClusterStateListener
-