AuditLog index filtering problem

Hi. We are using the ElasticStack v 6.5.3 .

Our requirements are to only record audit events originating from 2x index patterns exclusively:

  • aaa-*
  • bbb-*

Here is a fragment of our configuration in elasticsearch.yml true [ logfile ] ["reserved", "__anonymous", "__attach"] ["~(aaa|bbb)-*"] ["beat"] false
  • We have tried to achieve our goal by creating a lucene regexp with a negation but this seems to be ignored. Can you point us to a correct solution?
  • Will it be possible to include the request body, assuming the per-index filtering is active?

Hi @mmisztal1980 ,

  • You need to contain the regexp in /
  • You are missing a . because * will match the preceding shortest pattern zero-or-more times and you need to tell it what is the preceding shortest pattern it needs to match ( in your case any character i.e. . ["/~(aaa|bbb)-.*/"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.