diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc index 69045dca0a2..011a66d62b3 100644 --- a/docs/reference/settings/audit-settings.asciidoc +++ b/docs/reference/settings/audit-settings.asciidoc @@ -58,7 +58,6 @@ event types such as `authentication_failed`. The default value is `false`. -- IMPORTANT: No filtering is performed when auditing, so sensitive data may be audited in plain text when including the request body in audit events. - -- [[node-audit-settings]] @@ -86,6 +85,35 @@ changes the setting in the config file, the node id will persist across cluster restarts and the administrator cannot change it. The default value is `true`. +[[audit-event-ignore-policies]] +==== Audit Logfile Event Ignore Policies + +These settings affect the {stack-ov}/audit-log-output.html#audit-log-ignore-policy[ignore policies] +that enable fine-grained control over which audit events are printed to the log file. +All of the settings with the same policy name combine to form a single policy. +If an event matches all of the conditions for a specific policy, it is ignored +and not printed. + +`xpack.security.audit.logfile.events.ignore_filters..users`:: +A list of user names or wildcards. The specified policy will +not print audit events for users matching these values. + +`xpack.security.audit.logfile.events.ignore_filters..realms`:: +A list of authentication realm names or wildcards. The specified policy will +not print audit events for users in these realms. + +`xpack.security.audit.logfile.events.ignore_filters..roles`:: +A list of role names or wildcards. The specified policy will +not print audit events for users that have these roles. If the user has several +roles, some of which are *not* covered by the policy, the policy will +*not* cover this event. + +`xpack.security.audit.logfile.events.ignore_filters..indices`:: +A list of index names or wildcards. The specified policy will +not print audit events when all the indices in the event match +these values. If the event concerns several indices, some of which are +*not* covered by the policy, the policy will *not* cover this event. + [[index-audit-settings]] ==== Audit Log Indexing Configuration Settings