Skip to content

Commit

Permalink
Audit log filter and marker (#45456)
Browse files Browse the repository at this point in the history 
This adds a log marker and a marker filter for the audit log.

Closes #47251
  • Loading branch information
@albertzaharovits
albertzaharovits authored Nov 15, 2019
1 parent 9b33165 commit 9ef69f7
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 23 deletions.
61 changes: 39 additions & 22 deletions ...urity/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
package org.elasticsearch.xpack.security.audit.logfile;

import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.MarkerManager;
import org.apache.logging.log4j.core.Filter.Result;
import org.apache.logging.log4j.core.LoggerContext;
import org.apache.logging.log4j.core.filter.MarkerFilter;
import org.apache.logging.log4j.message.StringMapMessage;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.cluster.ClusterChangedEvent;
Expand All @@ -15,6 +20,7 @@
import org.elasticsearch.common.Nullable;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.collect.MapBuilder;
import org.elasticsearch.common.logging.Loggers;
import org.elasticsearch.common.network.NetworkAddress;
import org.elasticsearch.common.settings.Setting;
import org.elasticsearch.common.settings.Setting.Property;
Expand All @@ -32,6 +38,7 @@
import org.elasticsearch.xpack.core.security.user.SystemUser;
import org.elasticsearch.xpack.core.security.user.User;
import org.elasticsearch.xpack.core.security.user.XPackUser;
import org.elasticsearch.xpack.security.Security;
import org.elasticsearch.xpack.security.audit.AuditLevel;
import org.elasticsearch.xpack.security.audit.AuditTrail;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
Expand Down Expand Up @@ -151,6 +158,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
"indices",
(key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));

private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");

private final Logger logger;
private final ThreadContext threadContext;
final EventFilterPolicyRegistry eventFilterPolicyRegistry;
Expand All @@ -166,7 +175,7 @@ public String name() {
}

public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());
this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
}

LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
Expand Down Expand Up @@ -207,6 +216,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa
final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);
this.eventFilterPolicyRegistry.set(policyName, newPolicy);
}, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));
// this log filter ensures that audit events are not filtered out because of the log level
final LoggerContext ctx = LoggerContext.getContext(false);
MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);
ctx.addFilter(auditMarkerFilter);
ctx.updateLoggers();
clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {
LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");
}, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));
}

@Override
Expand All @@ -225,7 +242,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -248,7 +265,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -270,7 +287,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -289,7 +306,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -311,7 +328,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -329,7 +346,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -350,7 +367,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -370,7 +387,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -393,7 +410,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -414,7 +431,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -440,7 +457,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin
.withXForwardedFor(threadContext)
.with(authorizationInfo.asMap())
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand Down Expand Up @@ -480,7 +497,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut
.with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));
}
logger.info(logEntryBuilder.build());
logger.info(AUDIT_MARKER, logEntryBuilder.build());
}
}
}
Expand All @@ -505,7 +522,7 @@ public void accessDenied(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -523,7 +540,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -544,7 +561,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -567,7 +584,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -586,7 +603,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -604,7 +621,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand All @@ -628,7 +645,7 @@ public void runAsGranted(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -653,7 +670,7 @@ public void runAsDenied(String requestId, Authentication authentication, String
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}
}
Expand All @@ -675,7 +692,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
.withOpaqueId(threadContext)
.withXForwardedFor(threadContext)
.build();
logger.info(logEntry);
logger.info(AUDIT_MARKER, logEntry);
}
}

Expand Down
2 changes: 1 addition & 1 deletion .../src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,7 @@ public void init() throws Exception {
threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,
randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));
}
logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);
logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);
auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);
}

Expand Down

0 comments on commit 9ef69f7

Please sign in to comment.