6.4 xpack.security.audit.logfile.events.ignore_filters.*.realms broken?


(Maciek Misztal) #1

In our cluster, we have added the following snippet to our elasticsearch.yaml across all nodes:

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index ]
xpack.security.audit.index.events.emit_request_body: true

We have restarted all nodes in the cluster and applied the following via the Kibana's dev-tools:

PUT /_cluster/settings 
{
    "transient": {
       
        "xpack.security.audit.logfile.events.ignore_filters": {
            "ourpolicyname": {
                "realms": [
                    "__attach",
                    "__anonymous",
                    "reserved"
                ]
            }
        }
    }
}

We have removed the daily .security_audit_log-* index and waited for it to become recreated.

Upon recreation our expectation was to see the __attach , __anonymous and reserved realms filtered out of the audit log. Instead, what we're seeing is:

Which indicates that events from the forementioned realms keep flowing in and that the audit log is not filtering them out as we intended. Our intention is to have the audit log ignore all of the events from those realms from all indices.

We have also tried to apply the equivalent ignore_filters configuration via elasticsearch.yml with the same result.

Please tell us if this is a miss-configuration on our end or is there a bug in this piece of functionality.

Best regards