Audit Log Exclude by Origin / Principal

I'm setting up audit log configurations, and I'm wondering if it's possible to not log events based on the contents. Here's an example of a log I'm trying to prevent:

[2018-01-24T10:42:37,950] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[indices:admin/template/put], indices=[.monitoring-logstash-2*], request=[PutIndexTemplateRequest]

I don't want the logs to record when the principal is elastic, or the origin_address is 127.0.0.1. Is it possible to configure the audit logs this way, or does anyone have a clever work around?

I have a same problem, trying to apply filter in my logs but I don't now why elasticsearch run without using configuration.
in my elastic configuration I active:
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
--------------------------------------------------------------------------------------------

and in my I trying lot of stuff and nothing change in my logs
x-pack/log4j2.properties:
--------------------------------------------------------------------------------------------
# MY RULES
appender.audit_rolling.filter.regex.type = RegexFilter
appender.audit_rolling.filter.regex.onMatch = DENY
#appender.audit_rolling.filter.regex.regex = .principal=._xpack_security.
appender.audit_rolling.filter.regex.regex = .principal=[_xpack_security].
appender.audit_rolling.filter.regex.onMisMatch = ACCEPT
--------------------------------------------------------------------------------------------

That Regular Expression doesn't match what you're expecting it to.
[ and ] have special meaning in a regular expression - you'll need to escape them in the properties file.

I found this thread: Kibana automatic activity is flooding audit log

I haven't been able to get any of the combinations in that thread to work for me. I've tried things like:

.*elastic*.*, .*principal=.elastic.,.*, .principal=\[elastic\]., .principal=\\[elastic\\]., .*principal=\[elastic\].*

Any suggestions, or do you see what I'm missing?

Thank you TimV for your reply,

(\ desapeared when I saved my comment I need to put \\ and \* !)

Yes it's true, in reality the correct line I put was:
appender.audit_rolling.filter.regex.regex = .principal=\[_xpack_security\].
This would be remove all the line in the log file with " principal=[_xpack_security]" expresion

I tried to last week:
#appender.audit_rolling.filter.regex.regex = .*principal=.kibana...action=.cluster:monitor.*|.*action=.cluster:admin.*|.*indices=..kibana.,.*|.*indices=..*.,.*

Didn't work to.

I don't now whats wrong with my filters or config...

With a log of trial and error I think I've gotten it figured out. I could have sword I tried this combination last night, but it seems to be working now so I must have messed something up if I did:

appender.audit_rolling.filter.regex.type = RegexFilter
appender.audit_rolling.filter.regex.onMatch = DENY
appender.audit_rolling.filter.regex.regex = .*principal=.elastic.*|.*principal=._xpack_security.*
appender.audit_rolling.filter.regex.onMisMatch = ACCEPT

This works for me on elastic 5.6.1. I found that if you include a space between around the | it will cause the patterns to not match correctly, which is probably what I was messing up.

I will trying right now!

Nice!!

Work perfectly.
Good work Colin for find the error in the expression!!!
(y) (y) (y)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.