Skip to content

Commit

Permalink
Audit log filter and marker (elastic#49145)
Browse files Browse the repository at this point in the history
This adds a log marker and a marker filter for the audit log.

Closes elastic#47251
  • Loading branch information
albertzaharovits committed Nov 15, 2019
1 parent 2d84ad2 commit bbeb3a8
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 23 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
package org.elasticsearch.xpack.security.audit.logfile;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.MarkerManager;
import org.apache.logging.log4j.core.Filter.Result;
import org.apache.logging.log4j.core.LoggerContext;
import org.apache.logging.log4j.core.filter.MarkerFilter;
import org.apache.logging.log4j.message.StringMapMessage;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.cluster.ClusterChangedEvent;
Expand All @@ -16,6 +21,7 @@
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.MapBuilder;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Setting.Property;
Expand All @@ -33,6 +39,7 @@
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
Expand Down Expand Up @@ -157,6 +164,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
"indices",
(key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));

private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");

private final Logger logger;
private final ThreadContext threadContext;
final EventFilterPolicyRegistry eventFilterPolicyRegistry;
Expand All @@ -172,7 +181,7 @@ public String name() {
}

public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());
this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
}

LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
Expand Down Expand Up @@ -214,6 +223,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa
final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);
this.eventFilterPolicyRegistry.set(policyName, newPolicy);
}, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));
// this log filter ensures that audit events are not filtered out because of the log level
final LoggerContext ctx = LoggerContext.getContext(false);
MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);
ctx.addFilter(auditMarkerFilter);
ctx.updateLoggers();
clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {
LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");
}, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));
}

@Override
Expand All @@ -232,7 +249,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -255,7 +272,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -277,7 +294,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -296,7 +313,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -318,7 +335,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -336,7 +353,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -357,7 +374,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -377,7 +394,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -400,7 +417,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -421,7 +438,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -447,7 +464,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin
.withXForwardedFor(threadContext)
.with(authorizationInfo.asMap())
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand Down Expand Up @@ -487,7 +504,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut
.with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));
}
logger.info(logEntryBuilder.build());
logger.info(AUDIT_MARKER, logEntryBuilder.build());
}
}
}
Expand All @@ -512,7 +529,7 @@ public void accessDenied(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -530,7 +547,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -551,7 +568,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -574,7 +591,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -593,7 +610,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -611,7 +628,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -635,7 +652,7 @@ public void runAsGranted(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -660,7 +677,7 @@ public void runAsDenied(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -682,7 +699,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ public void init() throws Exception {
threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,
randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));
}
logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);
logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);
auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);
}

Expand Down

0 comments on commit bbeb3a8

Please sign in to comment.