2018-01-18 12:18:24 -05:00
|
|
|
[role="xpack"]
|
|
|
|
|
[[auditing-settings]]
|
|
|
|
|
=== Auditing Security Settings
|
|
|
|
|
++++
|
|
|
|
|
<titleabbrev>Auditing Settings</titleabbrev>
|
|
|
|
|
++++
|
|
|
|
|
|
|
|
|
|
All of these settings can be added to the `elasticsearch.yml` configuration
|
|
|
|
|
file. For more information, see
|
|
|
|
|
{xpack-ref}/auditing.html[Auditing Security Events].
|
|
|
|
|
|
|
|
|
|
[[general-audit-settings]]
|
|
|
|
|
==== General Auditing Settings
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.enabled`::
|
|
|
|
|
Set to `true` to enable auditing on the node. The default value is `false`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.outputs`::
|
|
|
|
|
Specifies where audit logs are output. For example: `[ index, logfile ]`. The
|
|
|
|
|
default value is `logfile`, which puts the auditing events in a dedicated
|
2018-10-26 08:19:35 -04:00
|
|
|
file named `<clustername>_audit.log` on each node.
|
|
|
|
|
You can also specify `index`, which puts the auditing events in an {es} index
|
|
|
|
|
that is prefixed with `.security_audit_log`. The index can reside on the same
|
|
|
|
|
cluster or a separate cluster.
|
2018-11-05 18:30:35 -05:00
|
|
|
+
|
2018-10-26 08:19:35 -04:00
|
|
|
For backwards compatibility reasons, if you use the logfile output type, a
|
|
|
|
|
`<clustername>_access.log` file is also created. It contains the same
|
|
|
|
|
information, but it uses the older (pre-6.5.0) formatting style.
|
|
|
|
|
If the backwards compatible format is not required, it should be disabled.
|
|
|
|
|
To do that, change its logger level to `off` in the `log4j2.properties` file.
|
|
|
|
|
For more information, see <<configuring-logging-levels>>.
|
2018-01-18 12:18:24 -05:00
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
TIP: If the index is unavailable, it is possible for auditing events to
|
|
|
|
|
be lost. The `index` output type should therefore be used in conjunction with
|
|
|
|
|
the `logfile` output type and the latter should be the official record of events.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
[[event-audit-settings]]
|
|
|
|
|
==== Audited Event Settings
|
|
|
|
|
|
|
|
|
|
The events and some other information about what gets logged can be
|
|
|
|
|
controlled by using the following settings:
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.include`::
|
|
|
|
|
Specifies which events to include in the auditing output. The default value is:
|
|
|
|
|
`access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.exclude`::
|
|
|
|
|
Excludes the specified events from the output. By default, no events are
|
|
|
|
|
excluded.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.emit_request_body`::
|
|
|
|
|
Specifies whether to include the request body from REST requests on certain
|
|
|
|
|
event types such as `authentication_failed`. The default value is `false`.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
IMPORTANT: No filtering is performed when auditing, so sensitive data may be
|
|
|
|
|
audited in plain text when including the request body in audit events.
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
[[node-audit-settings]]
|
|
|
|
|
==== Local Node Info Settings
|
|
|
|
|
|
2018-10-26 08:19:35 -04:00
|
|
|
`xpack.security.audit.logfile.emit_node_name`::
|
|
|
|
|
Specifies whether to include the <<node.name,node name>> as a field in
|
|
|
|
|
each audit event.
|
|
|
|
|
The default value is `true`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.emit_node_host_address`::
|
|
|
|
|
Specifies whether to include the node's IP address as a field in each audit event.
|
|
|
|
|
The default value is `false`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.emit_node_host_name`::
|
|
|
|
|
Specifies whether to include the node's host name as a field in each audit event.
|
|
|
|
|
The default value is `false`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.emit_node_id`::
|
|
|
|
|
Specifies whether to include the node id as a field in each audit event.
|
|
|
|
|
This is available for the new format only. That is to say, this information
|
|
|
|
|
does not exist in the `<clustername>_access.log` file.
|
|
|
|
|
Unlike <<node.name,node name>>, whose value might change if the administrator
|
|
|
|
|
changes the setting in the config file, the node id will persist across cluster
|
|
|
|
|
restarts and the administrator cannot change it.
|
|
|
|
|
The default value is `true`.
|
2018-01-18 12:18:24 -05:00
|
|
|
|
2018-11-09 09:58:10 -05:00
|
|
|
[[audit-event-ignore-policies]]
|
|
|
|
|
==== Audit Logfile Event Ignore Policies
|
|
|
|
|
|
|
|
|
|
These settings affect the {stack-ov}/audit-log-output.html#audit-log-ignore-policy[ignore policies]
|
|
|
|
|
that enable fine-grained control over which audit events are printed to the log file.
|
|
|
|
|
All of the settings with the same policy name combine to form a single policy.
|
|
|
|
|
If an event matches all of the conditions for a specific policy, it is ignored
|
|
|
|
|
and not printed.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users`::
|
|
|
|
|
A list of user names or wildcards. The specified policy will
|
|
|
|
|
not print audit events for users matching these values.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms`::
|
|
|
|
|
A list of authentication realm names or wildcards. The specified policy will
|
|
|
|
|
not print audit events for users in these realms.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles`::
|
|
|
|
|
A list of role names or wildcards. The specified policy will
|
|
|
|
|
not print audit events for users that have these roles. If the user has several
|
|
|
|
|
roles, some of which are *not* covered by the policy, the policy will
|
|
|
|
|
*not* cover this event.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices`::
|
|
|
|
|
A list of index names or wildcards. The specified policy will
|
|
|
|
|
not print audit events when all the indices in the event match
|
|
|
|
|
these values. If the event concerns several indices, some of which are
|
|
|
|
|
*not* covered by the policy, the policy will *not* cover this event.
|
|
|
|
|
|
2018-01-18 12:18:24 -05:00
|
|
|
[[index-audit-settings]]
|
|
|
|
|
==== Audit Log Indexing Configuration Settings
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.bulk_size`::
|
|
|
|
|
Controls how many audit events are batched into a single write. The default
|
|
|
|
|
value is `1000`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.flush_interval`::
|
|
|
|
|
Controls how often buffered events are flushed to the index. The default value
|
|
|
|
|
is `1s`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.rollover`::
|
|
|
|
|
Controls how often to roll over to a new index: `hourly`, `daily`, `weekly`, or
|
|
|
|
|
`monthly`. The default value is `daily`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.events.include`::
|
|
|
|
|
Specifies the audit events to be indexed. The default value is
|
|
|
|
|
`anonymous_access_denied, authentication_failed, realm_authentication_failed, access_granted, access_denied, tampered_request, connection_granted, connection_denied, run_as_granted, run_as_denied`.
|
2018-06-07 13:48:21 -04:00
|
|
|
See {xpack-ref}/audit-event-types.html[Audit Entry Types] for the
|
2018-01-18 12:18:24 -05:00
|
|
|
complete list.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.events.exclude`::
|
|
|
|
|
Excludes the specified auditing events from indexing. By default, no events are
|
|
|
|
|
excluded.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.events.emit_request_body`::
|
|
|
|
|
Specifies whether to include the request body from REST requests on certain
|
|
|
|
|
event types such as `authentication_failed`. The default value is `false`.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.settings`::
|
|
|
|
|
Specifies settings for the indices that the events are stored in. For example,
|
|
|
|
|
the following configuration sets the number of shards and replicas to 1 for the
|
|
|
|
|
audit indices:
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----------------------------
|
|
|
|
|
xpack.security.audit.index.settings:
|
|
|
|
|
index:
|
|
|
|
|
number_of_shards: 1
|
|
|
|
|
number_of_replicas: 1
|
|
|
|
|
----------------------------
|
|
|
|
|
--
|
2018-06-12 09:19:43 -04:00
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
NOTE: These settings apply to the local audit indices, as well as to the
|
|
|
|
|
<<remote-audit-settings, remote audit indices>>, but only if the remote cluster
|
2018-12-19 17:53:37 -05:00
|
|
|
does *not* have {security-features} enabled or the {es} versions are different.
|
|
|
|
|
If the remote cluster has {security-features} enabled and the versions coincide,
|
|
|
|
|
the settings for the audit indices there will take precedence,
|
2018-06-12 09:19:43 -04:00
|
|
|
even if they are unspecified (i.e. left to defaults).
|
|
|
|
|
--
|
2018-01-18 12:18:24 -05:00
|
|
|
|
|
|
|
|
[[remote-audit-settings]]
|
|
|
|
|
==== Remote Audit Log Indexing Configuration Settings
|
|
|
|
|
|
|
|
|
|
To index audit events to a remote {es} cluster, you configure the following
|
|
|
|
|
`xpack.security.audit.index.client` settings:
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.client.hosts`::
|
|
|
|
|
Specifies a comma-separated list of `host:port` pairs. These hosts should be
|
2018-05-23 11:41:06 -04:00
|
|
|
nodes in the remote cluster. If you are using default values for the
|
2018-12-18 15:09:58 -05:00
|
|
|
<<common-network-settings,`transport.port`>> setting, you can omit the
|
|
|
|
|
`port` value. Otherwise, it must match the `transport.port` setting.
|
2018-01-18 12:18:24 -05:00
|
|
|
|
|
|
|
|
`xpack.security.audit.index.client.cluster.name`::
|
|
|
|
|
Specifies the name of the remote cluster.
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.client.xpack.security.user`::
|
|
|
|
|
Specifies the `username:password` pair that is used to authenticate with the
|
2018-05-29 18:53:19 -04:00
|
|
|
remote cluster. This user must have authority to create the `.security-audit`
|
|
|
|
|
index on the remote cluster.
|
|
|
|
|
|
|
|
|
|
If the remote {es} cluster has Transport Layer Security (TLS/SSL) enabled, you
|
|
|
|
|
must set the following setting to `true`:
|
|
|
|
|
|
|
|
|
|
`xpack.security.audit.index.client.xpack.security.transport.ssl.enabled`::
|
|
|
|
|
Used to enable or disable TLS/SSL for the transport client that forwards audit
|
|
|
|
|
logs to the remote cluster. The default is `false`.
|
|
|
|
|
|
|
|
|
|
You must also specify the information necessary to access certificates. See
|
|
|
|
|
<<auditing-tls-ssl-settings>>.
|
2018-01-18 12:18:24 -05:00
|
|
|
|
|
|
|
|
You can pass additional settings to the remote client by specifying them in the
|
2018-05-29 18:53:19 -04:00
|
|
|
`xpack.security.audit.index.client` namespace. For example, you can add
|
|
|
|
|
<<modules-transport,transport settings>> and
|
|
|
|
|
<<tcp-settings,advanced TCP settings>> in that namespace. To allow the remote
|
2018-01-18 12:18:24 -05:00
|
|
|
client to discover all of the nodes in the remote cluster you can specify the
|
|
|
|
|
`client.transport.sniff` setting:
|
|
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
|
----------------------------
|
|
|
|
|
xpack.security.audit.index.client.transport.sniff: true
|
|
|
|
|
----------------------------
|
