39 lines
1.3 KiB
Plaintext
39 lines
1.3 KiB
Plaintext
|
[role="xpack"]
|
||
|
|
[float]
|
||
|
|
[[audit-index]]
|
||
|
|
=== Index audit output
|
||
|
|
|
||
|
|
In addition to logging to a file, you can store audit logs in Elasticsearch
|
||
|
|
rolling indices. These indices can be either on the same cluster, or on a
|
||
|
|
remote cluster. You configure the following settings in
|
||
|
|
`elasticsearch.yml` to control how audit entries are indexed. To enable
|
||
|
|
this output, you need to configure the setting `xpack.security.audit.outputs`
|
||
|
|
in the `elasticsearch.yml` file:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
----------------------------
|
||
|
|
xpack.security.audit.outputs: [ index, logfile ]
|
||
|
|
----------------------------
|
||
|
|
|
||
|
|
For more configuration options, see
|
||
|
|
{ref}/auditing-settings.html#index-audit-settings[Audit log indexing configuration settings].
|
||
|
|
|
||
|
|
IMPORTANT: No filtering is performed when auditing, so sensitive data may be
|
||
|
|
audited in plain text when including the request body in audit events.
|
||
|
|
|
||
|
|
[float]
|
||
|
|
==== Audit index settings
|
||
|
|
|
||
|
|
You can also configure settings for the indices that the events are stored in.
|
||
|
|
These settings are configured in the `xpack.security.audit.index.settings` namespace
|
||
|
|
in `elasticsearch.yml`. For example, the following configuration sets the
|
||
|
|
number of shards and replicas to 1 for the audit indices:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
----------------------------
|
||
|
|
xpack.security.audit.index.settings:
|
||
|
|
index:
|
||
|
|
number_of_shards: 1
|
||
|
|
number_of_replicas: 1
|
||
|
|
----------------------------
|