Logo of Trend Micro

AWS Elasticsearch Slow Logs

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: ES-011

Ensure that your AWS Elasticsearch clusters have enabled the support for publishing slow logs to AWS CloudWatch Logs. This feature enables you to publish slow logs from the indexing and search operations performed on your ES clusters and gain full insight into the performance of these operations.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Performance
efficiency
Operational
excellence

Once enabled, Elasticsearch slow logs can help you identify performance issues caused by specific queries or due to changes in cluster usage. Then you can use this information to optimize your queries or your index configuration to address the problem.

Note: If enabled, the standard Amazon CloudWatch pricing does apply.

Audit

To determine if your AWS ES clusters have enabled the support for publishing slow logs (search and index slow logs) to AWS CloudWatch, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the name (link) of the ES domain that you want to examine. A domain is a collection of resources required to run an AWS Elasticsearch cluster.

04 Select the Logs tab to access the slow logs configuration information. If the Status attribute value for Search slow logs and/or index slow logs is set to Disabled:

Search slow logs and/or index slow logs is set to Disabled

the Slow Logs feature is not enabled for the selected AWS ES cluster.

05 Repeat step no. 3 and 4 to verify the Slow Logs feature status for other AWS ES domains (clusters) available within the current region.

06 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-domain-names command (OSX/Linux/UNIX) to list the names of all AWS Elasticsearch (ES) domains currently available within the selected region: 

aws es list-domain-names
	--region us-east-1

02 The command output should return the requested ES domain names: 

{
    "DomainNames": [
        {
            "DomainName": "cc-es-cluster-v5"
        },
        {
            "DomainName": "cc-es-us-cluster"
        }
    ]
}

03 Run describe-elasticsearch-domain command (OSX/Linux/UNIX) using the ES domain name returned at the previous step and custom query filters to expose the Slow Logs feature configuration for the selected AWS ES domain: 

aws es describe-elasticsearch-domain
	--region us-east-1
	--domain-name cc-es-cluster-v5
	--query 'DomainStatus.LogPublishingOptions'

04 The command output should return the search and index slow logs configuration for selected ES cluster: 

{
    "INDEX_SLOW_LOGS": {
        "Enabled": false
    },
    "SEARCH_SLOW_LOGS": {
        "Enabled": false
    }
}

Check the INDEX_SLOW_LOGS and SEARCH_SLOW_LOGS configuration objects returned by the command output. If the Enabled attribute value for INDEX_SLOW_LOGS and/or SEARCH_SLOW_LOGS is set to false, as shown in the example above, the Slow Logs feature is disabled for the selected Amazon Elasticsearch cluster.

05 Repeat step no. 3 and 4 to verify the Slow Logs feature status for other AWS ES domains (clusters) available within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the audit process for other regions.

Remediation / Resolution

To enable Elasticsearch Slow Logs publishing to AWS CloudWatch Logs, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Elasticsearch (ES) dashboard at https://console.aws.amazon.com/es/.

03 Click on the ES domain that you want to reconfigure (see Audit section part I to identify the right resource).

04 Select the Logs tab to access the slow logs configuration panel.

05 To enable search slow logs, within Set up Search slow logs section, click Setup to start the ES search slow logs setup process. For CloudWatch Logs log group setting, choose Create new log group and for Specify CloudWatch access policy, select Create a new policy. You can use the default path provided by AWS ES service for the group name, available within New log group name box and the default policy name, available in the New policy name box or use your own custom path and policy name. Once configured, click Enable to apply the changes and enable search slow logs for the selected Elasticsearch cluster. The search slow logs setting status should change now to Enabled.

06 To enable index slow logs, inside Set up Index slow logs section, click Setup to start the ES index slow logs setup. For CloudWatch Logs log group setting, choose Create new log group and for Specify CloudWatch access policy, select Create a new policy. You can use the default path provided by AWS ES service for the group name, available within New log group name box and the default policy name, available in the New policy name box or use your own custom path and policy name. Click Enable to apply configuration changes and enable index slow logs for the selected AWS ES cluster. On the Logs tab, the index slow logs setting status should change now to Enabled.

07 Repeat steps no. 3 - 6 to enable search and index slow logs publishing to AWS CloudWatch for other AWS ES domains available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, execute create-log-group command (OSX/Linux/UNIX) to create the necessary AWS CloudWatch log group within the selected region (the command does not produce an output): 

aws logs create-log-group
	--region us-east-1
	--log-group-name cc-cloudwatch-log-group

02 Run describe-log-groups command (OSX/Linux/UNIX) using the name of the newly created CloudWatch log group and custom query filters to expose the CloudWatch resource ARN: 

aws logs describe-log-groups
	--region us-east-1
	--log-group-name cc-cloudwatch-log-group
	--query 'logGroups[*].arn'

03 The command output should return the requested log group ARN: 

[
  "arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*"
]

04 Now execute put-resource-policy command (OSX/Linux/UNIX) to give Amazon Elasticsearch permissions to write to the CloudWatch log group created at step no. 1: 

aws logs put-resource-policy
	--region us-east-1
	--policy-name es-slow-logs-policy
	--policy-document '{ "Version": "2012-10-17", "Statement": [{ "Sid": "", "Effect": "Allow", "Principal": { "Service": "es.amazonaws.com"}, "Action":[ "logs:PutLogEvents"," logs:PutLogEventsBatch","logs:CreateLogStream"],"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*"}]}'

05 The command output should return the command request metadata (including information about the access policy used): 

{
    "resourcePolicy": {
        "policyName": "es-slow-logs-policy",
        "policyDocument": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Sid\": \"\", \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"es.amazonaws.com\"}, \"Action\":[ \"logs:PutLogEvents\",\" logs:PutLogEventsBatch\",\"logs:CreateLogStream\"],\"Resource\": \"arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*\"}]}",
        "lastUpdatedTime": 1510081902775
    }
}

06 Run update-elasticsearch-domain-config command (OSX/Linux/UNIX) to update the cluster configuration and enable the publishing of search and index slow logs for the specified AWS ES domain: 

aws es update-elasticsearch-domain-config
	--region us-east-1
	--domain-name cc-es-cluster-v5
	--log-publishing-options "SEARCH_SLOW_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*,Enabled=true},INDEX_SLOW_LOGS={CloudWatchLogsLogGroupArn=arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*,Enabled=true}"

07 The command output should return the new configuration metadata for the selected AWS ES domain: 

{
    "DomainConfig": {
        "ElasticsearchClusterConfig": {
            "Status": {
                "PendingDeletion": false,
                "State": "Active",
                "CreationDate": 1510072997,
                "UpdateVersion": 5,
                "UpdateDate": 1510073688
            },
            "Options": {
                "DedicatedMasterEnabled": false,
                "InstanceCount": 2,
                "ZoneAwarenessEnabled": false,
                "InstanceType": "c4.xlarge.elasticsearch"
            }
        },

        ...

        "LogPublishingOptions": {
            "Status": {
                "PendingDeletion": false,
                "State": "Processing",
                "CreationDate": 1510077571,
                "UpdateVersion": 23,
                "UpdateDate": 1510081936
            },
            "Options": {
                "INDEX_SLOW_LOGS": {
                    "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*",
                    "Enabled": true
                },
                "SEARCH_SLOW_LOGS": {
                    "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-east-1:123456789012:log-group:cc-cloudwatch-log-group:*",
                    "Enabled": true
                }
            }
        }
    }
}

08 Repeat steps no. 1 – 7 to enable search and index slow logs publishing to AWS CloudWatch for other AWS ES domains available in the current region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the entire process for other regions.

References

Publication date Nov 8, 2017

Related Elasticsearch rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS Elasticsearch Slow Logs

Risk level: Medium