mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-03-03 01:19:10 +00:00
47a9a8de49
This is related to #36652. In 7.0 we plan to deprecate a number of settings that make reference to the concept of a tcp transport. We mostly just have a single transport type now (based on tcp). Settings should only reference tcp if they are referring to socket options. This commit updates the settings in the docs. And removes string usages of the old settings. Additionally it adds a missing remote compress setting to the docs.
99 lines
4.0 KiB
Plaintext
99 lines
4.0 KiB
Plaintext
[role="xpack"]
|
|
[[forwarding-audit-logfiles]]
|
|
=== Forwarding audit logs to a remote cluster
|
|
|
|
When you are auditing security events, you can optionally store the logs in an
|
|
{es} index on a remote cluster. The logs are sent to the remote cluster by
|
|
using the {javaclient}/transport-client.html[transport client].
|
|
|
|
. Configure auditing such that the logs are stored in {es} rolling indices.
|
|
See <<audit-index>>.
|
|
|
|
. Establish a connection to the remote cluster by configuring the following
|
|
`xpack.security.audit.index.client` settings:
|
|
+
|
|
--
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1>
|
|
xpack.security.audit.index.client.cluster.name: logging-prod <2>
|
|
xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3>
|
|
--------------------------------------------------
|
|
<1> A list of hosts in the remote cluster. If you are not using the default
|
|
value for the `transport.port` setting on the remote cluster, you must
|
|
specify the appropriate port number (prefixed by a colon) after each host.
|
|
<2> The remote cluster name.
|
|
<3> A valid user and password, which must have authority to create the
|
|
`.security-audit` index on the remote cluster.
|
|
|
|
For more information about these settings, see
|
|
{ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings].
|
|
|
|
--
|
|
|
|
. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you
|
|
must specify extra security settings:
|
|
|
|
.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on
|
|
the remote cluster], then copy that certificate to the client.
|
|
|
|
.. Enable TLS and specify the information required to access the node certificate.
|
|
|
|
*** If the signed certificate is in PKCS#12 format, add the following information
|
|
to the `elasticsearch.yml` file:
|
|
+
|
|
--
|
|
[source,yaml]
|
|
-----------------------------------------------------------
|
|
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
|
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
|
|
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
|
|
-----------------------------------------------------------
|
|
|
|
For more information about these settings, see
|
|
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
|
|
--
|
|
|
|
*** If the certificate is in PEM format, add the following information to the
|
|
`elasticsearch.yml` file:
|
|
+
|
|
--
|
|
[source, yaml]
|
|
--------------------------------------------------
|
|
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
|
|
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
|
|
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
|
|
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
|
|
--------------------------------------------------
|
|
|
|
For more information about these settings, see
|
|
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
|
|
--
|
|
|
|
.. If you secured the certificate with a password, add the password to
|
|
your {es} keystore:
|
|
|
|
*** If the signed certificate is in PKCS#12 format, use the following commands:
|
|
+
|
|
--
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
|
|
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
|
|
-----------------------------------------------------------
|
|
--
|
|
|
|
*** If the certificate is in PEM format, use the following commands:
|
|
+
|
|
--
|
|
[source,shell]
|
|
-----------------------------------------------------------
|
|
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
|
|
-----------------------------------------------------------
|
|
--
|
|
|
|
. Restart {es}.
|
|
|
|
When these steps are complete, your audit logs are stored in {es} rolling
|
|
indices on the remote cluster. |