Audit logging in Elastic Cloud

I have two questions I was hoping someone could answer.

Question 1: I am using an elastic cloud deployment running ES 7.17.5. I know how to enable audit logging and ship those logs to my monitoring deployment. I noticed however that this does not use the fully ECS compatible fields. If I was on a standalone cluster I would add an xpack.security.audit.appender to the config, but cloud does not seem to allow this option. How can I enable this in cloud?

Question 2: I have two wholly separate cloud instances, one for monitoring and one that is the production environment. These are NOT under the same cloud account. I would like to ship the production environment clusters logs and metrics to my monitoring environment. Is this possible?

@Larry_Gregory could we please get some help here?

Thanks,
Bhavya

@lreger For Question 1, it's not the most straightforward, but the docs mention:

xpack.security.audit.appender.type
When set to "rolling-file" and xpack.security.audit.enabled is set to true, Kibana ECS audit logs are enabled. Beginning with version 8.0, this setting is no longer necessary for ECS audit log output; it’s only necessary to set xpack.security.audit.enabled to true

You stated:

If I was on a standalone cluster I would add an xpack.security.audit.appender to the config, but cloud does not seem to allow this option. How can I enable this in cloud?

Did you get an error message when attempting to configure xpack.security.audit.appender.type?

For Question 2: I don't believe this is supported at this time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.