OpenSearch/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc

[role="xpack"]
[[forwarding-audit-logfiles]]
=== Forwarding audit logs to a remote cluster

When you are auditing security events, you can optionally store the logs in an 
{es} index on a remote cluster.  The logs are sent to the remote cluster by 
using the {javaclient}/transport-client.html[transport client]. 

. Configure auditing such that the logs are stored in {es} rolling indices. 
See <<audit-index>>. 

. Establish a connection to the remote cluster by configuring the following 
`xpack.security.audit.index.client` settings: 
+
--
[source, yaml]
--------------------------------------------------
xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1> 
xpack.security.audit.index.client.cluster.name: logging-prod <2>
xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3>
--------------------------------------------------
<1> A list of hosts in the remote cluster. If you are not using the default 
value for the `transport.tcp.port` setting on the remote cluster, you must 
specify the appropriate port number (prefixed by a colon) after each host. 
<2> The remote cluster name.
<3> A valid user and password, which must have authority to create the 
`.security-audit` index on the remote cluster. 

For more information about these settings, see
{ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings].

--

. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you 
must specify extra security settings: 

.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on 
the remote cluster], then copy that certificate to the client. 

.. Enable TLS and specify the information required to access the node certificate.

*** If the signed certificate is in PKCS#12 format, add the following information 
to the `elasticsearch.yml` file:
+
--
[source,yaml]
-----------------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 
xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
-----------------------------------------------------------

For more information about these settings, see 
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
--

*** If the certificate is in PEM format, add the following information to the
`elasticsearch.yml` file:
+
--
[source, yaml]
--------------------------------------------------
xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key 
xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt 
xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] 
--------------------------------------------------
    
For more information about these settings, see 
{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].    
--

.. If you secured the certificate with a password, add the password to
your {es} keystore:

*** If the signed certificate is in PKCS#12 format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
-----------------------------------------------------------
--

*** If the certificate is in PEM format, use the following commands:
+
--
[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
-----------------------------------------------------------
--

. Restart {es}.

When these steps are complete, your audit logs are stored in {es} rolling 
indices on the remote cluster.