New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shield duplicates _search api audits #11710
Comments
@jaymode please could you take a look? |
@bobbyhubbard thanks for reporting this. This behavior isn't ideal and we'll look at if/how we can improve this. What you're seeing is a side effect of how auditing is implemented and how search requests are executed. Shield audits the individual actions that are executed by elasticsearch. The |
This seems to have to do with the fact that the main |
This bit us again today when someone else in our org setup a new log drain from shield. It reported nearly double the number of rest requests as expected. Then I remembered this issue... The workaround is simple enough...to hash each message (fingerprint in logstash) and use the hash as the message id. But this WILL bite every single Shield customer who is measuring and auditing rest calls. (How many are reporting invalid results now because they dont even know about this bug like one team here almost did?) |
All the actions that extend TransportSearchTypeAction are subactions of the main TransportSearchAction. The main one is and should be a transport action, register request handlers, support request and response filtering etc. but the subactions shouldn't as that becomes just double work. At the moment each search request goes through validation and filters twice, one as part of the main action, and the second one as part of the subaction execution. The subactions don't need to extend TransportAction, but can be simple support classes, as they are always executed on the same node as their main action. This commit modifies TransportSearchTypeAction to not extend TransportAction but simply AbstractComponent. Closes elastic#11710
…ype package into o.e.action.search TransportSearchTypeAction and subclasses are not actually transport actions, but just support classes useful for their inner async actions that can easily be extracted out so that we get rid of one too many level of abstraction. Same pattern can be applied to TransportSearchScrollQueryAndFetchAction & TransportSearchScrollQueryThenFetchAction which we could remove in favour of keeping only their inner classes named SearchScrollQueryAndFetchAsyncAction and SearchScrollQueryThenFetchAsyncAction. Remove org.elasticsearch.action.search.type package, collapsed remaining classes into existing org.elasticsearch.action.search package Make also ParsedScrollId ScrollIdForNode and TransportSearchHelper classes and their methods package private. Closes elastic#11710
…ype package into o.e.action.search TransportSearchTypeAction and subclasses are not actually transport actions, but just support classes useful for their inner async actions that can easily be extracted out so that we get rid of one too many level of abstraction. Same pattern can be applied to TransportSearchScrollQueryAndFetchAction & TransportSearchScrollQueryThenFetchAction which we could remove in favour of keeping only their inner classes named SearchScrollQueryAndFetchAsyncAction and SearchScrollQueryThenFetchAsyncAction. Remove org.elasticsearch.action.search.type package, collapsed remaining classes into existing org.elasticsearch.action.search package Make also ParsedScrollId ScrollIdForNode and TransportSearchHelper classes and their methods package private. Closes #11710
A standard GET by ID results in a single log entry in the audit log. Search (_search) results in two identical log entries. Every time.
Everything works great out of the box except I get _search audits duplicated in the log. ONLY "SearchRequest" audits. I haven't found any other api yet which results in this strange behavior.
The text was updated successfully, but these errors were encountered: