2018-05-23 18:42:51 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[forwarding-audit-logfiles]]
|
2018-05-29 18:53:19 -04:00
|
|
|
=== Forwarding audit logs to a remote cluster
|
2018-05-23 18:42:51 -04:00
|
|
|
|
2018-05-29 18:53:19 -04:00
|
|
|
When you are auditing security events, you can optionally store the logs in an
|
|
|
|
{es} index on a remote cluster. The logs are sent to the remote cluster by
|
|
|
|
using the {javaclient}/transport-client.html[transport client].
|
2018-05-23 18:42:51 -04:00
|
|
|
|
2018-05-29 18:53:19 -04:00
|
|
|
. Configure auditing such that the logs are stored in {es} rolling indices.
|
|
|
|
See <<audit-index>>.
|
|
|
|
|
|
|
|
. Establish a connection to the remote cluster by configuring the following
|
|
|
|
`xpack.security.audit.index.client` settings:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source, yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1>
|
|
|
|
xpack.security.audit.index.client.cluster.name: logging-prod <2>
|
|
|
|
xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3>
|
|
|
|
--------------------------------------------------
|
|
|
|
<1> A list of hosts in the remote cluster. If you are not using the default
|
|
|
|
value for the `transport.tcp.port` setting on the remote cluster, you must
|
|
|
|
specify the appropriate port number (prefixed by a colon) after each host.
|
|
|
|
<2> The remote cluster name.
|
|
|
|
<3> A valid user and password, which must have authority to create the
|
|
|
|
`.security-audit` index on the remote cluster.
|
2018-05-23 18:42:51 -04:00
|
|
|
|
|
|
|
For more information about these settings, see
|
2018-05-29 18:53:19 -04:00
|
|
|
{ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings].
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you
|
|
|
|
must specify extra security settings:
|
2018-05-23 18:42:51 -04:00
|
|
|
|
2018-05-29 18:53:19 -04:00
|
|
|
.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on
|
|
|
|
the remote cluster], then copy that certificate to the client.
|
2018-05-23 18:42:51 -04:00
|
|
|
|
2018-05-29 18:53:19 -04:00
|
|
|
.. Enable TLS and specify the information required to access the node certificate.
|
|
|
|
|
|
|
|
*** If the signed certificate is in PKCS#12 format, add the following information
|
|
|
|
to the `elasticsearch.yml` file:
|
|
|
|
+
|
|
|
|
--
|
2018-05-23 18:42:51 -04:00
|
|
|
[source,yaml]
|
2018-05-29 18:53:19 -04:00
|
|
|
-----------------------------------------------------------
|
|
|
|
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
|
|
|
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
|
|
|
|
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
|
|
|
For more information about these settings, see
|
|
|
|
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
|
|
|
|
--
|
|
|
|
|
|
|
|
*** If the certificate is in PEM format, add the following information to the
|
|
|
|
`elasticsearch.yml` file:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source, yaml]
|
|
|
|
--------------------------------------------------
|
|
|
|
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
|
|
|
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
|
|
|
|
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
|
|
|
|
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
|
|
|
|
--------------------------------------------------
|
|
|
|
|
|
|
|
For more information about these settings, see
|
|
|
|
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
|
|
|
|
--
|
|
|
|
|
|
|
|
.. If you secured the certificate with a password, add the password to
|
|
|
|
your {es} keystore:
|
|
|
|
|
|
|
|
*** If the signed certificate is in PKCS#12 format, use the following commands:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source,shell]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
|
|
|
|
|
|
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
|
|
|
|
-----------------------------------------------------------
|
|
|
|
--
|
|
|
|
|
|
|
|
*** If the certificate is in PEM format, use the following commands:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source,shell]
|
|
|
|
-----------------------------------------------------------
|
|
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
|
|
|
|
-----------------------------------------------------------
|
|
|
|
--
|
|
|
|
|
|
|
|
. Restart {es}.
|
|
|
|
|
|
|
|
When these steps are complete, your audit logs are stored in {es} rolling
|
|
|
|
indices on the remote cluster.
|