Skip to content

Emit trace.id into audit logs#82849

Merged
pgomulka merged 11 commits intoelastic:masterfrom
pgomulka:add_trace_id_audit_trail
Jan 25, 2022
Merged

Emit trace.id into audit logs#82849
pgomulka merged 11 commits intoelastic:masterfrom
pgomulka:add_trace_id_audit_trail

Conversation

@pgomulka
Copy link
Copy Markdown
Contributor

@pgomulka pgomulka commented Jan 20, 2022
edited
Loading

since #74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.

@pgomulka pgomulka added >enhancement :Core/Infra/Logging Log management and logging utilities :Security/Audit X-Pack Audit logging v8.0.0 v8.1.0 v7.17.0 labels Jan 20, 2022
@pgomulka pgomulka self-assigned this Jan 20, 2022
@elasticmachine elasticmachine added Team:Security Meta label for security team Team:Core/Infra Meta label for core/infra team labels Jan 20, 2022
@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Jan 20, 2022

Pinging @elastic/es-security (Team:Security)

@elasticmachine
Copy link
Copy Markdown
Collaborator

elasticmachine commented Jan 20, 2022

Pinging @elastic/es-core-infra (Team:Core/Infra)

@pgomulka
Copy link
Copy Markdown
Contributor Author

pgomulka commented Jan 20, 2022

this can be considered a >bug rather than >enhancement as we clearly forgot about this

@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Jan 20, 2022

Hi @pgomulka, I've created a changelog YAML for you.

@pgomulka pgomulka removed the :Core/Infra/Logging Log management and logging utilities label Jan 20, 2022
@elasticmachine elasticmachine removed the Team:Core/Infra Meta label for core/infra team label Jan 20, 2022
@pgomulka pgomulka added the :Core/Infra/Logging Log management and logging utilities label Jan 20, 2022
@elasticmachine elasticmachine added the Team:Core/Infra Meta label for core/infra team label Jan 20, 2022
@pgomulka pgomulka removed the :Core/Infra/Logging Log management and logging utilities label Jan 20, 2022
@elasticmachine elasticmachine removed the Team:Core/Infra Meta label for core/infra team label Jan 20, 2022
rjernst
rjernst approved these changes Jan 20, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@rjernst rjernst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pgomulka pgomulka mentioned this pull request Jan 24, 2022
Closed
albertzaharovits
albertzaharovits approved these changes Jan 25, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM Thanks for the Security contrib!

Ideally we should add to the docs in x-pack/docs/en/security/auditing/event-types.asciidoc to describe the new field (also drop a line in log4j2.properties with a short description as well).

Also, reviewing this I noticed that the response, http tracer and search slowlog (and possibly other places as well), do not contain a trace.id. It might be worth a ES-wide review of where the trace.id should show up.

@pgomulka pgomulka added the auto-backport Automatically create backport pull requests when merged label Jan 25, 2022
@pgomulka pgomulka mentioned this pull request Jan 25, 2022
Closed
@pgomulka pgomulka merged commit 533f6e0 into elastic:master Jan 25, 2022
pgomulka added a commit to pgomulka/elasticsearch that referenced this pull request Jan 25, 2022
@pgomulka
Emit trace.id into audit logs (elastic#82849)
be68445 
since elastic#74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.
@pgomulka pgomulka mentioned this pull request Jan 25, 2022
Merged
@elasticsearchmachine
Copy link
Copy Markdown
Collaborator

elasticsearchmachine commented Jan 25, 2022

💔 Backport failed

Status Branch Result
8.0
7.17 Commit could not be cherrypicked due to conflicts

You can use sqren/backport to manually backport by running backport --upstream elastic/elasticsearch --pr 82849

pgomulka added a commit to pgomulka/elasticsearch that referenced this pull request Jan 25, 2022
@pgomulka
Emit trace.id into audit logs (elastic#82849)
63dfa1e 
since elastic#74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.
@pgomulka pgomulka mentioned this pull request Jan 25, 2022
Merged
pgomulka added a commit that referenced this pull request Jan 25, 2022
@pgomulka
Emit trace.id into audit logs (#82849) (#83027)
82afc60 
Backports the following commits to 8.0:

Emit trace.id into audit logs (Emit trace.id into audit logs #82849)
pgomulka added a commit that referenced this pull request Jan 25, 2022
@pgomulka
[7.17[ Emit trace.id into audit logs (#82849) (#83031)
b4f17d4 
since #74210 ES is emitting trace.id into its logs, but it did not emit it into audit logs.
This commit adds trace.id into audit logging.
backport #82849
weizijun added a commit to weizijun/elasticsearch that referenced this pull request Jan 26, 2022
@weizijun
Merge branch 'upstream/master' into rollover-add-max_shard_docs
4d6f241 
* upstream/master: (762 commits)
  [DOCS] Add note to that log4j customization is outside the support scope (elastic#82668)
  Batch Index Settings Update Requests (elastic#82896)
  [DOCS] Delete pipeline containing stored script (elastic#83102)
  Try again to fix changelog areas after reorg (elastic#83100)
  Bind to non-localhost for transport in some cases (elastic#82973)
  [DOCS] Reuse multi-level `join` warning (elastic#82976)
  Remove unnecessary CopyOnWriteHashMap class (elastic#83040)
  Adjust changelog categories after reorg (elastic#83087)
  [DOCS] Fix typo in `action.destructive_requires_name` breaking change (elastic#83085)
  Stack Monitoring: Add Enterprise Search monitoring index templates (elastic#82743)
  [DOCS] Fix stored script example snippet (elastic#83056)
  [DOCS] Re-add network traffic para to `term` query (elastic#83047)
  [DOCS] Rename example stored script (elastic#83054)
  [ML][DOCS] Add Trained model APIs to the REST APIs index (elastic#82791)
  [ML] Update running process when global calendar changes (elastic#83044)
  [Transform] Fix condition on which the transform stops processing buckets (elastic#82852)
  [DOCS] Fixes field names in ML sum functions. (elastic#83048)
  [ML] fix NLP tokenization never_split handling around punctuation (elastic#82982)
  Construct dynamic updates directly via object builders (elastic#81449)
  Emit trace.id into audit logs (elastic#82849)
  ...

# Conflicts:
#	client/rest-high-level/src/test/java/org/elasticsearch/client/IndicesClientIT.java
#	client/rest-high-level/src/test/java/org/elasticsearch/client/documentation/ILMDocumentationIT.java
#	server/src/main/java/org/elasticsearch/action/admin/indices/rollover/Condition.java
#	server/src/test/java/org/elasticsearch/action/admin/indices/rollover/ConditionTests.java
#	x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ilm/RolloverActionTests.java
#	x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ilm/TimeseriesLifecycleTypeTests.java
#	x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/ilm/WaitForRolloverReadyStepTests.java
@gmarouli gmarouli mentioned this pull request Jan 13, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rjernst rjernst rjernst approved these changes

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees

No one assigned

Labels

auto-backport Automatically create backport pull requests when merged >enhancement :Security/Audit X-Pack Audit logging Team:Security Meta label for security team v7.17.0 v8.0.0-rc2 v8.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@pgomulka @elasticmachine @elasticsearchmachine @rjernst @albertzaharovits @pugnascotia