DOCS Add audit ignore settings to reference page (#35274)

Adds the logfile audit ignore policy settings synopsis
to the Auditing Reference page.
This commit is contained in:
Albert Zaharovits 2018-11-09 16:58:10 +02:00 committed by GitHub
parent 807ce10f73
commit f2d7c94949
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 1 deletions

View File

@ -58,7 +58,6 @@ event types such as `authentication_failed`. The default value is `false`.
--
IMPORTANT: No filtering is performed when auditing, so sensitive data may be
audited in plain text when including the request body in audit events.
--
[[node-audit-settings]]
@ -86,6 +85,35 @@ changes the setting in the config file, the node id will persist across cluster
restarts and the administrator cannot change it.
The default value is `true`.
[[audit-event-ignore-policies]]
==== Audit Logfile Event Ignore Policies
These settings affect the {stack-ov}/audit-log-output.html#audit-log-ignore-policy[ignore policies]
that enable fine-grained control over which audit events are printed to the log file.
All of the settings with the same policy name combine to form a single policy.
If an event matches all of the conditions for a specific policy, it is ignored
and not printed.
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users`::
A list of user names or wildcards. The specified policy will
not print audit events for users matching these values.
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms`::
A list of authentication realm names or wildcards. The specified policy will
not print audit events for users in these realms.
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles`::
A list of role names or wildcards. The specified policy will
not print audit events for users that have these roles. If the user has several
roles, some of which are *not* covered by the policy, the policy will
*not* cover this event.
`xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices`::
A list of index names or wildcards. The specified policy will
not print audit events when all the indices in the event match
these values. If the event concerns several indices, some of which are
*not* covered by the policy, the policy will *not* cover this event.
[[index-audit-settings]]
==== Audit Log Indexing Configuration Settings