-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Breaking change] Audit logging events have changed #82578
Comments
Pinging @elastic/es-ui (Team:Elasticsearch UI) |
@thomheymann What if Upgrade Assistant checked if |
@cjcenizal I didn't know that we can surface messaging within the migration assistant. It's a great idea - I think that would be really useful for affected users. Especially if we list out what events they can consume instead. |
@thomheymann Sounds good! Thanks for the validation. We have the opportunity to redesign the Upgrade Assistant for an awesome 8.0 upgrade experience, so the sky's the limit. Anything you can think of that would help the user is fair game when considering new features we should add to UA. |
FYI I updated the issue title and |
Hi @thomheymann! I'm going to remove the |
Pinging @elastic/kibana-security (Team:Security) |
PR to deprecate the legacy audit logger in 7.15: #104685 |
I'm auditing consumer usage of audit logging (both flavors, "legacy" and "ECS"). When we get rid of legacy audit logging, we want to make sure we have the same coverage with our ECS audit logging. Rather than create a new issue, I decided to put my findings here. InvestigationConsumers access the audit loggers from the
Aside from the
|
Re-reading this issue description:
Currently, the platform logging service provides a "default" appender, but that will be removed in 8.0. So I don't think we can just allow I see two options to proceed:
I am leaning towards option 2, but I am curious to know what others think. |
What does this mean in practice? Do users need to manually configure whether they want to log to stdout or file or is this just an internal change for plugin developers?
Yeh, definitely prefer option 2. as well here. |
@jportner I'm voting for option 2 as well. I do not like it if Kibana gets too complicated to get up and running. Sensible defaults is the way to go IMO. |
Sounds good, let's go with option 2. |
According to this issue (#92082), the injected "default" legacy appender will be removed in 8.0. It hasn't been removed yet and I'm not sure what the user experience will be like as a result. |
++. Based on #98213, this may need to be OS/package specific. @elastic/kibana-operations we are interested in writing Kibana's audit log to a dedicated file by default. Do you have any advice on where in the file system we should be writing these? I expect that the downloadable version is pretty simple (Kibana root?), but what about os packages, Docker, etc.? |
I'd recommend creating a logs folder in the project root here. If this is needed for development too, we could commit a logs directory and cleanup the .gitempty at build time. We can followup with a change here to write to Consistency with elasticsearch would be ideal:
|
JFYI, here is the issue tracking removal of the legacy logging infrastructure (which includes removing the injected |
Do I understand correctly that you are talking about this
Isn't it using a new logging framework?
How the removal of the
Is it the default behavior of the deprecated Audit logging service? appenders: {
auditTrailFileAppender: config.auditTrailFileAppender ?? {
type: 'file',
fileName: ...,
layout: {
type: 'json',
},
},
},
loggers: [
{
name: '...',
level: ...
appenders: ['auditTrailFileAppender'],
},
], |
Yes!
Yes!
That's a great point, then ECS audit logging already doesn't rely on the "default" legacy appender at all. |
Change description
Which release will ship the breaking change?
8.0
Describe the change. How will it manifest to users?
Dropped support for legacy audit event. These have been replaced with audit events in ECS format which simplify ingestion into the stack, analysis with SIEM solution and provide more context and meta data.
The following events will not longer be logged: https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html#_audit_event_types
How many users will be affected?
Anyone who is using the previous Kibana audit logger.
What can users do to address the change manually?
The ECS audit logger is controlled by the same
xpack.security.audit.enabled
setting as the legacy audit logger so no configuration needs to be changed and new event will automatically get logged out in the new format, if audit logging was previously enabled.However, if users have alerts setup in Kibana or external systems those will need to be updated to look for the new ECS audit events instead:
saved_objects_authorization_success
- Instead filter events byevent.category=database
andevent.outcome=success|unknown
saved_objects_authorization_failure
- Instead filter events byevent.category=database
andevent.outcome=failure
- The failure reason will be captured in theerror
propertyA full list of events can be found here: https://www.elastic.co/guide/en/kibana/master/xpack-security-audit-logging.html#xpack-security-ecs-audit-logging
How could we make migration easier with the Upgrade Assistant?
Upgrade Assistant could check if
xpack.security.audit.enabled
is set, and if so add a "warning" message with the migration guidance shared above. Users could dismiss the warning if it didn't apply to them or if they've addressed it.Are there any edge cases?
n/a
Test Data
n/a
Cross links
n/a
The text was updated successfully, but these errors were encountered: