2018-05-23 18:42:51 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[audit-index]]
|
|
|
|
=== Index audit output
|
|
|
|
|
|
|
|
In addition to logging to a file, you can store audit logs in Elasticsearch
|
|
|
|
rolling indices. These indices can be either on the same cluster, or on a
|
|
|
|
remote cluster. You configure the following settings in
|
|
|
|
`elasticsearch.yml` to control how audit entries are indexed. To enable
|
|
|
|
this output, you need to configure the setting `xpack.security.audit.outputs`
|
|
|
|
in the `elasticsearch.yml` file:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.outputs: [ index, logfile ]
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
For more configuration options, see
|
|
|
|
{ref}/auditing-settings.html#index-audit-settings[Audit log indexing configuration settings].
|
|
|
|
|
|
|
|
IMPORTANT: No filtering is performed when auditing, so sensitive data may be
|
|
|
|
audited in plain text when including the request body in audit events.
|
|
|
|
|
|
|
|
[float]
|
|
|
|
==== Audit index settings
|
|
|
|
|
|
|
|
You can also configure settings for the indices that the events are stored in.
|
|
|
|
These settings are configured in the `xpack.security.audit.index.settings` namespace
|
|
|
|
in `elasticsearch.yml`. For example, the following configuration sets the
|
|
|
|
number of shards and replicas to 1 for the audit indices:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.index.settings:
|
|
|
|
index:
|
|
|
|
number_of_shards: 1
|
|
|
|
number_of_replicas: 1
|
|
|
|
----------------------------
|
2018-06-07 11:55:14 -04:00
|
|
|
|
2018-06-12 09:19:43 -04:00
|
|
|
These settings apply to the local audit indices, as well as to the
|
|
|
|
<<forwarding-audit-logfiles, remote audit indices>>, but only if the remote cluster
|
|
|
|
does *not* have {security} installed, or the {es} versions are different.
|
|
|
|
If the remote cluster has {security} installed, and the versions coincide, the
|
|
|
|
settings for the audit indices there will take precedence,
|
|
|
|
even if they are unspecified (i.e. left to defaults).
|
|
|
|
|
2018-06-07 11:55:14 -04:00
|
|
|
NOTE: Audit events are batched for indexing so there is a lag before
|
|
|
|
events appear in the index. You can control how frequently batches of
|
|
|
|
events are pushed to the index by setting
|
|
|
|
`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.
|