Open jackevans43 opened 9 months ago
stephen-crawford
commented
8 months ago [Triage] Hi @jackevans43, thanks for filing this issue. This is the expected behavior for failed log in requests but not for other requests. Can you confirm that this is the behavior for requests other than failed login attempts?
Thanks
west117
commented
8 months ago Hi, just to add to this - we're seeing the same behaviour as described by @jackevans43. Can confirm it is for requests other than login requests, e.g. a normal search will not yield an audited http body.
jackevans43
commented
8 months ago @scrawfor99 Sorry for the slow reply - yes this behaviour is for successful search requests etc. Have you managed to reproduce the issue?
peternied
commented
7 months ago If you are looking to get started on this issue, you might want to look at the code modified in this pull request [1], it should give you a good place to start.
What is the bug? OpenSearch audit logs included the REST request payload in the audit logs in
audit_request_bodyin 2.10 but not 2.11 (or 2.12)How can one reproduce the bug? Steps to reproduce the behavior:
security-auditlog*curl -vk https://127.0.0.1:9200/twitter -u admin:admin -XPUT -d '{"settings":{"index":{"number_of_shards":3}}}' -H 'content-type: application/jsoncurl -vk https://127.0.0.1:9200/_search -u admin:admin -XPUT -d '{"query":{"match_all": {}}}' -H 'content-type: application/json'What is the expected behavior? In OpenSearch Dashboards 2.10 discover view for the
security-auditlog*index pattern, can seeaudit_request_bodyfield set for both queries. Since 2.11 it's missing for the search (but still present for the index creation -audit_request_layer: TRANSPORT, but not REST).What is your host/environment?