Database Connector

Elasticsearch Connector

Connect DB Audit to your Elasticsearch clusters for comprehensive search query monitoring, authentication tracking, and compliance reporting with native security audit integration.

Native Deep Integration

Security Audit Native

Direct X-Pack security integration

Cluster Aware

Monitors all nodes automatically

<1% Performance Impact

Read-only index access

What You Can Monitor

Search Query Monitoring

Track all search and aggregation queries with full query DSL logging and response metadata.

User Activity Tracking

Monitor authentication events, role changes, and API key usage across your cluster.

Index Operations

Detect and alert on index creation, deletion, mapping changes, and reindex operations.

Data Access Analysis

Analyze access patterns across indices to identify unusual activity or security threats.

Requirements

Elasticsearch Version 7.17 or higher (8.x recommended)

Network Access TCP port 9200 (REST API)

Authentication Native realm, LDAP, SAML, or API keys

Required Privileges monitor, read_security, manage_security

Security License Required

Security audit logging requires Elasticsearch Security features (included in Elastic Cloud, or Platinum/Enterprise licenses for self-managed).

Configuration Reference

Basic Connection

Field	Type	Required	Description
`name`	string	Yes	A unique name to identify this connection
`hosts`	array	Yes	List of Elasticsearch node URLs (e.g., https://es1:9200)
`username`	string	Yes	Elasticsearch username for authentication
`password`	password	Yes	Elasticsearch password (stored encrypted)
`api_key`	password	No	API key for authentication (alternative to user/pass)

TLS Configuration

Field	Type	Default	Description
`ssl_enabled`	boolean	`true`	Enable TLS encryption
`ssl_ca_cert`	string	`-`	CA certificate for server verification
`ssl_verify`	boolean	`true`	Verify server certificate
`ssl_fingerprint`	string	`-`	Certificate fingerprint (ES 8.x)

Log Collection

Field	Type	Default	Description
`log_collection_type`	select	`native_audit`	Method for collecting audit logs
`audit_index`	string	`.security-audit-*`	Index pattern for audit logs
`polling_interval`	number	`10`	Seconds between log collection polls
`include_request_body`	boolean	`true`	Include full query body in logs

Log Collection Methods

DB Audit supports multiple methods for collecting audit data from Elasticsearch.

Security Audit Logging

Recommended

Native Elasticsearch security audit logging for comprehensive authentication and access tracking.

Authentication events

Authorization decisions

API access tracking

Security features required

Slow Log

Capture slow search and indexing operations for performance and query analysis.

Query performance tracking

No security license needed

Per-index configuration

Full query capture

Create Audit User

Create a dedicated read-only user for DB Audit with security monitoring permissions.

# Create a dedicated audit user with Elasticsearch Security
# Using the Elasticsearch API

# Create audit role
PUT /_security/role/dbaudit_reader
{
  "cluster": ["monitor", "read_security", "manage_security"],
  "indices": [
    {
      "names": [".security-audit-*", ".monitoring-*"],
      "privileges": ["read", "view_index_metadata"]
    },
    {
      "names": ["*"],
      "privileges": ["view_index_metadata", "monitor"]
    }
  ]
}

# Create audit user
PUT /_security/user/dbaudit_reader
{
  "password": "your_secure_password",
  "roles": ["dbaudit_reader"],
  "full_name": "DB Audit Reader",
  "email": "dbaudit@example.com",
  "metadata": {
    "purpose": "DB Audit read-only access"
  }
}

# Or create an API key for service authentication
POST /_security/api_key
{
  "name": "dbaudit-collector",
  "role_descriptors": {
    "dbaudit_role": {
      "cluster": ["monitor", "read_security"],
      "indices": [
        {
          "names": [".security-audit-*"],
          "privileges": ["read"]
        }
      ]
    }
  }
}

Enable Security Audit Logging

Configure Elasticsearch security audit logging on all cluster nodes.

# Enable audit logging in elasticsearch.yml
# Add to each node and restart

xpack.security.audit.enabled: true
xpack.security.audit.logfile.events.include:
  - access_denied
  - access_granted
  - anonymous_access_denied
  - authentication_failed
  - authentication_success
  - connection_denied
  - run_as_denied
  - run_as_granted
  - security_config_change
  - tampered_request

# Index audit events (in addition to logfile)
xpack.security.audit.outputs: [ index, logfile ]

# Optional: Configure slow log per index
PUT /your_index/_settings
{
  "index.search.slowlog.threshold.query.warn": "10s",
  "index.search.slowlog.threshold.query.info": "5s",
  "index.search.slowlog.threshold.query.debug": "2s",
  "index.search.slowlog.threshold.query.trace": "500ms",
  "index.search.slowlog.level": "info"
}

Configure DB Audit Collector

Add your Elasticsearch cluster to the DB Audit configuration.

databases:
  - name: production-elasticsearch
    type: elasticsearch
    hosts:
      - https://es-node1.example.com:9200
      - https://es-node2.example.com:9200
      - https://es-node3.example.com:9200

    # Authentication (use API key for production)
    username: dbaudit_reader
    password: ${ES_PASSWORD}
    # Or use API key:
    # api_key: ${ES_API_KEY}

    # TLS Configuration
    ssl:
      enabled: true
      ca_cert: /etc/dbaudit/certs/ca.pem
      verify: true

    # Connection settings
    connect_timeout: 10
    request_timeout: 30

    # Monitoring options
    options:
      track_queries: true
      track_auth_events: true
      track_index_changes: true
      include_request_body: true
      audit_index: .security-audit-*

Test Connection

Verify your configuration before deploying.

# Test connection with curl
curl -u dbaudit_reader:password -X GET "https://es1:9200/_cluster/health?pretty"

# Test with API key
curl -H "Authorization: ApiKey YOUR_API_KEY" \
  -X GET "https://es1:9200/_cluster/health?pretty"

# Check audit log index exists
curl -u dbaudit_reader:password \
  -X GET "https://es1:9200/.security-audit-*/_count?pretty"

# View recent audit events
curl -u dbaudit_reader:password \
  -X GET "https://es1:9200/.security-audit-*/_search?size=5&sort=@timestamp:desc&pretty"

# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yaml

Compliance Support

DB Audit's Elasticsearch connector helps you meet audit requirements for major compliance frameworks.

SOC 2

Access logging

HIPAA

PHI access audit

PCI DSS

Cardholder data

GDPR

Data access rights

Troubleshooting

Authentication failed

Verify username/password or API key is correct. Check that the user exists and has the required roles.

Audit index not found

Verify xpack.security.audit.enabled: true is set and Elasticsearch was restarted. Check that audit output includes "index".

SSL certificate verification failed

Ensure the CA certificate is correct. For Elasticsearch 8.x, you can use the certificate fingerprint instead of the CA cert.

Next Steps

Configure Alerts & Rules

View All Database Connectors

Ready to Audit Your Elasticsearch Cluster?

Start monitoring your Elasticsearch clusters in minutes with native security audit integration.

Start Free Trial Contact Sales