I'm setting up audit log configurations, and I'm wondering if it's possible to not log events based on the contents. Here's an example of a log I'm trying to prevent:
[2018-01-24T10:42:37,950] [transport] [access_granted] origin_type=[rest], origin_address=[127.0.0.1], principal=[elastic], action=[indices:admin/template/put], indices=[.monitoring-logstash-2*], request=[PutIndexTemplateRequest]
I don't want the logs to record when the principal is
elastic, or the origin_address is
127.0.0.1. Is it possible to configure the audit logs this way, or does anyone have a clever work around?