[DOCS] Move auditing settings to Elasticsearch Reference (elastic/x-pack-elasticsearch#3608)
Original commit: elastic/x-pack-elasticsearch@a108afd26b
This commit is contained in:
Lisa Cawley
GitHub
parent
eefd8e7940
commit
0ea43c1aa1
|
|
@ -16,3 +16,4 @@ include::securing-communications/configuring-tls-docker.asciidoc[]
|
|||
include::securing-communications/enabling-cipher-suites.asciidoc[]
|
||||
include::securing-communications/separating-node-client-traffic.asciidoc[]
|
||||
include::{xes-repo-dir}/settings/security-settings.asciidoc[]
|
||||
include::{xes-repo-dir}/settings/audit-settings.asciidoc[]
|
||||
|
|
|
|||
|
|
@ -0,0 +1,141 @@
|
|||
[role="xpack"]
|
||||
[[auditing-settings]]
|
||||
=== Auditing Security Settings
|
||||
++++
|
||||
<titleabbrev>Auditing Settings</titleabbrev>
|
||||
++++
|
||||
|
||||
All of these settings can be added to the `elasticsearch.yml` configuration
|
||||
file. For more information, see
|
||||
{xpack-ref}/auditing.html[Auditing Security Events].
|
||||
|
||||
[[general-audit-settings]]
|
||||
==== General Auditing Settings
|
||||
|
||||
`xpack.security.audit.enabled`::
|
||||
Set to `true` to enable auditing on the node. The default value is `false`.
|
||||
|
||||
`xpack.security.audit.outputs`::
|
||||
Specifies where audit logs are output. For example: `[ index, logfile ]`. The
|
||||
default value is `logfile`, which puts the auditing events in a dedicated
|
||||
`<clustername>_access.log` file on the node. You can also specify `index`, which
|
||||
puts the auditing events in an {es} index that is prefixed with
|
||||
`.security_audit_log`. The index can reside on the same cluster or a separate
|
||||
cluster.
|
||||
+
|
||||
--
|
||||
TIP: If the index is unavailable, it is possible for auditing events to
|
||||
be lost. The `index` output type should therefore be used in conjunction with
|
||||
the `logfile` output type and the latter should be the official record of events.
|
||||
|
||||
--
|
||||
|
||||
[[event-audit-settings]]
|
||||
==== Audited Event Settings
|
||||
|
||||
The events and some other information about what gets logged can be
|
||||
controlled by using the following settings:
|
||||
|
||||
`xpack.security.audit.logfile.events.include`::
|
||||
Specifies which events to include in the auditing output. The default value is:
|
||||
`access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted`.
|
||||
|
||||
`xpack.security.audit.logfile.events.exclude`::
|
||||
Excludes the specified events from the output. By default, no events are
|
||||
excluded.
|
||||
|
||||
`xpack.security.audit.logfile.events.emit_request_body`::
|
||||
Specifies whether to include the request body from REST requests on certain
|
||||
event types such as `authentication_failed`. The default value is `false`.
|
||||
+
|
||||
--
|
||||
IMPORTANT: No filtering is performed when auditing, so sensitive data may be
|
||||
audited in plain text when including the request body in audit events.
|
||||
|
||||
--
|
||||
|
||||
[[node-audit-settings]]
|
||||
==== Local Node Info Settings
|
||||
|
||||
`xpack.security.audit.logfile.prefix.emit_node_name`::
|
||||
Specifies whether to include the node's name in the local node info. The
|
||||
default value is `true`.
|
||||
|
||||
`xpack.security.audit.logfile.prefix.emit_node_host_address`::
|
||||
Specifies whether to include the node's IP address in the local node info. The
|
||||
default value is `false`.
|
||||
|
||||
`xpack.security.audit.logfile.prefix.emit_node_host_name`::
|
||||
Specifies whether to include the node's host name in the local node info. The
|
||||
default value is `false`.
|
||||
|
||||
[[index-audit-settings]]
|
||||
==== Audit Log Indexing Configuration Settings
|
||||
|
||||
`xpack.security.audit.index.bulk_size`::
|
||||
Controls how many audit events are batched into a single write. The default
|
||||
value is `1000`.
|
||||
|
||||
`xpack.security.audit.index.flush_interval`::
|
||||
Controls how often buffered events are flushed to the index. The default value
|
||||
is `1s`.
|
||||
|
||||
`xpack.security.audit.index.rollover`::
|
||||
Controls how often to roll over to a new index: `hourly`, `daily`, `weekly`, or
|
||||
`monthly`. The default value is `daily`.
|
||||
|
||||
`xpack.security.audit.index.events.include`::
|
||||
Specifies the audit events to be indexed. The default value is
|
||||
`anonymous_access_denied, authentication_failed, realm_authentication_failed, access_granted, access_denied, tampered_request, connection_granted, connection_denied, run_as_granted, run_as_denied`.
|
||||
See {xpack-ref}/auditing.html#audit-event-types[Audit Entry Types] for the
|
||||
complete list.
|
||||
|
||||
`xpack.security.audit.index.events.exclude`::
|
||||
Excludes the specified auditing events from indexing. By default, no events are
|
||||
excluded.
|
||||
|
||||
`xpack.security.audit.index.events.emit_request_body`::
|
||||
Specifies whether to include the request body from REST requests on certain
|
||||
event types such as `authentication_failed`. The default value is `false`.
|
||||
|
||||
`xpack.security.audit.index.settings`::
|
||||
Specifies settings for the indices that the events are stored in. For example,
|
||||
the following configuration sets the number of shards and replicas to 1 for the
|
||||
audit indices:
|
||||
+
|
||||
--
|
||||
[source,yaml]
|
||||
----------------------------
|
||||
xpack.security.audit.index.settings:
|
||||
index:
|
||||
number_of_shards: 1
|
||||
number_of_replicas: 1
|
||||
----------------------------
|
||||
--
|
||||
|
||||
[[remote-audit-settings]]
|
||||
==== Remote Audit Log Indexing Configuration Settings
|
||||
|
||||
To index audit events to a remote {es} cluster, you configure the following
|
||||
`xpack.security.audit.index.client` settings:
|
||||
|
||||
`xpack.security.audit.index.client.hosts`::
|
||||
Specifies a comma-separated list of `host:port` pairs. These hosts should be
|
||||
nodes in the remote cluster.
|
||||
|
||||
`xpack.security.audit.index.client.cluster.name`::
|
||||
Specifies the name of the remote cluster.
|
||||
|
||||
`xpack.security.audit.index.client.xpack.security.user`::
|
||||
Specifies the `username:password` pair that is used to authenticate with the
|
||||
remote cluster.
|
||||
|
||||
You can pass additional settings to the remote client by specifying them in the
|
||||
`xpack.security.audit.index.client` namespace. For example, to allow the remote
|
||||
client to discover all of the nodes in the remote cluster you can specify the
|
||||
`client.transport.sniff` setting:
|
||||
|
||||
[source,yaml]
|
||||
----------------------------
|
||||
xpack.security.audit.index.client.transport.sniff: true
|
||||
----------------------------
|
||||
|
|
@ -9,8 +9,9 @@ You configure `xpack.security` settings to
|
|||
<<anonymous-access-settings, enable anonymous access>>
|
||||
and perform message authentication,
|
||||
<<field-document-security-settings, set up document and field level security>>,
|
||||
<<realm-settings, configure realms>>, and
|
||||
<<ssl-tls-settings, encrypt communications with SSL>>.
|
||||
<<realm-settings, configure realms>>,
|
||||
<<ssl-tls-settings, encrypt communications with SSL>>, and
|
||||
<<auditing-settings, audit security events>>.
|
||||
|
||||
All of these settings can be added to the `elasticsearch.yml` configuration file,
|
||||
with the exception of the secure settings, which you add to the {es} keystore.
|
||||
|
|
|
|||
Loading…
Reference in New Issue