【elasticsearch】慢查詢替代查詢審計的嘗試

使用了es有兩年了，突然發(fā)現(xiàn)一個，es沒有查詢審計日志，某個用戶查詢了某個索引的審計。
找了官方文檔和社區(qū)的回復(fù)都是說使用slow log替代慢查詢。
嘗試一下。

參考鏈接1：https://discuss.elastic.co/t/does-elasticsearch-capture-audit-logs-for-query-dsl-eql-and-sql-or-not/339398/8
參考鏈接2：https://www.elastic.co/guide/en/elasticsearch/reference/7.17/auditing-search-queries.html

前置條件

elasticsearch： 7.17.13
操作系統(tǒng)：linux7.9
es加密配置，只有加密后才可以使用slow log

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

普通查詢

 curl -u elastic:AAA320 localhost:9200/sq-20240506/_search

普通插入

curl -u elastic:AAA320 -H 'Content-Type: application/json' -X POST localhost:9200/sq-20240506/_doc/1 -d '
{
"firstname": "Krishna",
"lastname": "kumar"
}'

上述查詢和插入沒有任何slow log信息。

設(shè)置慢查詢

這里設(shè)置trace的慢查詢?yōu)?ms，會捕獲所有查詢。

curl -u elastic:AAA320 -H 'Content-Type: application/json'  -XPUT 'http://localhost:9200/_all/_settings?preserve_existing=true' -d '{"index.search.slowlog.threshold.fetch.debug" : "500ms","index.search.slowlog.threshold.fetch.info" : "800ms","index.search.slowlog.threshold.fetch.trace" : "0ms","index.search.slowlog.threshold.fetch.warn" : "1s","index.search.slowlog.threshold.query.debug" : "2s","index.search.slowlog.threshold.query.info" : "5s","index.search.slowlog.threshold.query.trace" : "0ms","index.search.slowlog.threshold.query.warn" : "10s"
}'

查看日志

慢查詢?nèi)罩?#xff0c;存放再es的日志文件夾中，elasticsearch_index_search_slowlog.log,這里可以看到TRACE級別的日志，可以看到分query和fetch兩種，有節(jié)點(diǎn)信息、索引信息、分片以及耗時，但是我還是覺得這里缺少了查詢用戶，查詢來源信息，目前還是無法滿足我的實(shí)際排查需求。

] tailf elasticsearch_index_search_slowlog.log
[2024-05-06T16:33:29,528][TRACE][i.s.s.query              ] [node-1] [sq-20240506][0] took[179.4micros], took_millis[0], total_hits[1 hits], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{}], id[], 
[2024-05-06T16:33:29,529][TRACE][i.s.s.fetch              ] [node-1] [sq-20240506][0] took[3.3ms], took_millis[3], total_hits[1 hits], types[], stats[], search_type[QUERY_THEN_FETCH], total_shards[1], source[{}], id[],

取消慢查詢

curl -u elastic:AAA320 -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_all/_settings' -d '{"index.search.slowlog.threshold.fetch.debug": null,"index.search.slowlog.threshold.fetch.info": null,"index.search.slowlog.threshold.fetch.trace": null,"index.search.slowlog.threshold.fetch.warn": null,"index.search.slowlog.threshold.query.debug": null,"index.search.slowlog.threshold.query.info": null,"index.search.slowlog.threshold.query.trace": null,"index.search.slowlog.threshold.query.warn": null
}'