Audit log flexability

Elastic Stack Elasticsearch
1

Hello All,
Currently I'm using the audit log in x-pack but I have to suppress all of the access_granted/authentication_success events because they are way to noisy. Is there a way or a future plan for giving some flexibility around this? For instance can I just log authentication_success for the ldap realm and not the native? I'm trying to get a dataset here that lets me know what users have logged in and don't need the millions of events for Filebeat, Kibana, ES and every other service that create over 4k of events per second.

  security:
    enabled: true
    audit:
      enabled: true
      outputs: [ index ]
      index:
        events:
          exclude: [ access_granted, connection_granted, realm_authentication_failed ]
2

There are future plans to allow this, yes. Not sure of the ETA though.

3

Ok, cool. Is there anything I could follow? I couldn't find a feature request or anything.

4

The X-Pack code and repo is not public sorry.

5

I'm afraid you'll have to just keep an eye on the release notes.

We're actively working on improvements to audit log filtering, so it should come out in an upcoming minor release (6.x.0, for some value of x).

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.