Audit Log Exclude by Origin / Principal

lask001 · January 24, 2018, 5:10pm

I'm setting up audit log configurations, and I'm wondering if it's possible to not log events based on the contents. Here's an example of a log I'm trying to prevent:

[2018-01-24T10:42:37,950] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[indices:admin/template/put], indices=[.monitoring-logstash-2*], request=[PutIndexTemplateRequest]

I don't want the logs to record when the principal is elastic, or the origin_address is 127.0.0.1. Is it possible to configure the audit logs this way, or does anyone have a clever work around?

jeje232 · January 24, 2018, 7:26pm

I have a same problem, trying to apply filter in my logs but I don't now why elasticsearch run without using configuration.
in my elastic configuration I active:
xpack.security.enabled: true
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
--------------------------------------------------------------------------------------------

and in my I trying lot of stuff and nothing change in my logs
x-pack/log4j2.properties:
--------------------------------------------------------------------------------------------
# MY RULES
appender.audit_rolling.filter.regex.type = RegexFilter
appender.audit_rolling.filter.regex.onMatch = DENY
#appender.audit_rolling.filter.regex.regex = .principal=._xpack_security.
appender.audit_rolling.filter.regex.regex = .principal=[_xpack_security].
appender.audit_rolling.filter.regex.onMisMatch = ACCEPT
--------------------------------------------------------------------------------------------

TimV · January 24, 2018, 9:08pm

That Regular Expression doesn't match what you're expecting it to.
[ and ] have special meaning in a regular expression - you'll need to escape them in the properties file.

lask001 · January 25, 2018, 2:00am

I found this thread: Kibana automatic activity is flooding audit log

I haven't been able to get any of the combinations in that thread to work for me. I've tried things like:

.*elastic*.*, .*principal=.elastic.,.*, .principal=\[elastic\]., .principal=\\[elastic\\]., .*principal=\[elastic\].*

Any suggestions, or do you see what I'm missing?

jeje232 · January 25, 2018, 7:28am

Thank you TimV for your reply,

(\ desapeared when I saved my comment I need to put \\ and \* !)

Yes it's true, in reality the correct line I put was:
appender.audit_rolling.filter.regex.regex = .principal=\[_xpack_security\].
This would be remove all the line in the log file with " principal=[_xpack_security]" expresion

I tried to last week:
#appender.audit_rolling.filter.regex.regex = .*principal=.kibana...action=.cluster:monitor.*|.*action=.cluster:admin.*|.*indices=..kibana.,.*|.*indices=..*.,.*

Didn't work to.

I don't now whats wrong with my filters or config...

lask001 · January 25, 2018, 4:51pm

With a log of trial and error I think I've gotten it figured out. I could have sword I tried this combination last night, but it seems to be working now so I must have messed something up if I did:

appender.audit_rolling.filter.regex.type = RegexFilter
appender.audit_rolling.filter.regex.onMatch = DENY
appender.audit_rolling.filter.regex.regex = .*principal=.elastic.*|.*principal=._xpack_security.*
appender.audit_rolling.filter.regex.onMisMatch = ACCEPT

This works for me on elastic 5.6.1. I found that if you include a space between around the | it will cause the patterns to not match correctly, which is probably what I was messing up.

jeje232 · January 25, 2018, 5:13pm

I will trying right now!

jeje232 · January 25, 2018, 6:21pm

Nice!!

Work perfectly.
Good work Colin for find the error in the expression!!!
(y) (y) (y)

system · February 22, 2018, 6:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.