OpenSearch/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc

99 lines
4.0 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[[forwarding-audit-logfiles]]
=== Forwarding audit logs to a remote cluster
When you are auditing security events, you can optionally store the logs in an
{es} index on a remote cluster. The logs are sent to the remote cluster by
using the {javaclient}/transport-client.html[transport client].
. Configure auditing such that the logs are stored in {es} rolling indices.
See <<audit-index>>.
. Establish a connection to the remote cluster by configuring the following
`xpack.security.audit.index.client` settings:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1>
xpack.security.audit.index.client.cluster.name: logging-prod <2>
xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3>
--------------------------------------------------
<1> A list of hosts in the remote cluster. If you are not using the default
value for the `transport.tcp.port` setting on the remote cluster, you must
specify the appropriate port number (prefixed by a colon) after each host.
<2> The remote cluster name.
<3> A valid user and password, which must have authority to create the
`.security-audit` index on the remote cluster.
For more information about these settings, see
{ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings].
--
. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you
must specify extra security settings:
.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on
the remote cluster], then copy that certificate to the client.
.. Enable TLS and specify the information required to access the node certificate.
*** If the signed certificate is in PKCS#12 format, add the following information
to the `elasticsearch.yml` file:
+
--
[source,yaml]
-----------------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
-----------------------------------------------------------
For more information about these settings, see
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
--
*** If the certificate is in PEM format, add the following information to the
`elasticsearch.yml` file:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
--------------------------------------------------
For more information about these settings, see
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
--
.. If you secured the certificate with a password, add the password to
your {es} keystore:
*** If the signed certificate is in PKCS#12 format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
-----------------------------------------------------------
--
*** If the certificate is in PEM format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
-----------------------------------------------------------
--
. Restart {es}.
When these steps are complete, your audit logs are stored in {es} rolling
indices on the remote cluster.