We have an ECE 1.1 installation that’s been running for a while, and we’d like to know which clusters are still being used. We don’t have access to most of the clusters, so we need a way to do this through ECE for all clusters. Based on our reading of the documentation, this seems to be possible by setting xpack.security.audit.enabled to true on each cluster. We’d like to ask for clarification on a few points:
- We were able to get the logs in the security index (we know this has been deprecated) but we can’t find them on the filesystem of the given container. Is there some ECE setting that’s overwriting the security audit settings?
- It looks like there are a lot of internal events being captured. We’re interested in external users. Can we use the security audit logging to capture external user activity? Should we be able to generate logs for incoming REST requests, and do we need to update the logger level setting?
- Is there a way to filter out (either through the yml or Kibana) inter-cluster requests so we can just see the logs generated by outside traffic? We’ve been looking at different events and making requests via Postman to the security index itself and it seems like multiple events are generated in between requests, but we can’t be sure.
- We’re looking specifically at connection_granted and authentication_success. Connection_granted doesn’t seem to log any new requests while authentication_success seems to log multiple but we don’t know how to determine if the actual request is being logged.