Logstash OpenSearch Output

louzadod · October 19, 2021, 6:13pm

Hi,
I’m trying to send data to OpenSearch using LogStash OpenSearch Output Plugin.

On OpenSearch audit logs there are many entries like:

{
  "_index": "security-auditlog-2021.10.19",
  "_type": "_doc",
  "_id": "Rd6WmXwBI4rOM_mKvxUM",
  "_version": 1,
  "_score": null,
  "_source": {
    "audit_trace_task_parent_id": "Ms_aBTLURsy_eGdWNCvyuA:698723",
    "audit_cluster_name": "logs-corporativos",
    "audit_transport_headers": {
      "_opendistro_security_remote_address_header": "...",
      "_opendistro_security_initial_action_class_header": "GetIndexTemplatesRequest",
      "_opendistro_security_origin_header": "REST",
      "_opendistro_security_user_header": "...",
      "_opendistro_security_remotecn": "logs-corporativos"
    },
    "audit_node_name": "logs-corporativos-master-2",
    "audit_trace_task_id": "XXy6-_cET4CIHg8L6A6nGA:4038008",
    "audit_transport_request_type": "GetIndexTemplatesRequest",
    "audit_category": "INDEX_EVENT",
    "audit_request_origin": "REST",
    "audit_node_id": "XXy6-_cET4CIHg8L6A6nGA",
    "audit_request_layer": "TRANSPORT",
    "@timestamp": "2021-10-19T17:26:05.835+00:00",
    "audit_format_version": 4,
    "audit_request_remote_address": "10.42.241.142",
    "audit_request_privilege": "indices:admin/template/get",
    "audit_node_host_address": "10.42.111.116",
    "audit_request_effective_user": "logstash",
    "audit_node_host_name": "10.42.111.116"
  },
  "fields": {
    "@timestamp": [
      "2021-10-19T17:26:05.835Z"
    ]
  },
  "highlight": {
    "audit_request_effective_user": [
      "@opensearch-dashboards-highlighted-field@logstash@/opensearch-dashboards-highlighted-field@"
    ]
  },
  "sort": [
    1634664365835
  ]
}

What is the meaning of such event?
Is everything fine?
The logs are not being persisted by OpenSearch.

searchymcsearchface · October 20, 2021, 1:26pm

Moving this to the security category - this is more about the audit logs than logstash

Anthony · October 20, 2021, 1:37pm

@louzadod
This is internal communications where GetIndexTemplatesRequest is being called, to obtain template during indexing stage and therefore looks to be ok.

Hope this helps

louzadod · October 21, 2021, 8:12pm

Thanks! Everything working pretty fine with Logstash.

Topic		Replies	Views
Logstash to Opensearch with Certs auth Data Prepper	5	997	December 16, 2022
Not able to send logs to opensearch from logstash server, getting this warning message in the logs "[o.o.s.a.BackendRegistry ] No 'Authorization' header, send 401 and 'WWW-Authenticate Basic'" Security	7	529	May 17, 2023
Logstash-oss-with-opensearch-output-plugin failing to connect, 401 response Security	4	320	May 15, 2023
Logstash Opensearch Configuration havin codec json OpenSearch	3	335	June 27, 2023
Secure communication from Logstash to opensearch cluster OpenSearch	4	329	September 16, 2023

Logstash OpenSearch Output

Related Topics