Audit log flexability

djtecha · January 17, 2018, 9:39pm

Hello All,
Currently I'm using the audit log in x-pack but I have to suppress all of the access_granted/authentication_success events because they are way to noisy. Is there a way or a future plan for giving some flexibility around this? For instance can I just log authentication_success for the ldap realm and not the native? I'm trying to get a dataset here that lets me know what users have logged in and don't need the millions of events for Filebeat, Kibana, ES and every other service that create over 4k of events per second.

  security:
    enabled: true
    audit:
      enabled: true
      outputs: [ index ]
      index:
        events:
          exclude: [ access_granted, connection_granted, realm_authentication_failed ]

warkolm · January 17, 2018, 9:45pm

There are future plans to allow this, yes. Not sure of the ETA though.

djtecha · January 17, 2018, 10:15pm

Ok, cool. Is there anything I could follow? I couldn't find a feature request or anything.

warkolm · January 17, 2018, 10:26pm

The X-Pack code and repo is not public sorry.

TimV · January 17, 2018, 11:30pm

I'm afraid you'll have to just keep an eye on the release notes.

We're actively working on improvements to audit log filtering, so it should come out in an upcoming minor release (6.x.0, for some value of x).

system · February 14, 2018, 11:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.