AuditLog index filtering problem

Hi. We are using the ElasticStack v 6.5.3 .

Our requirements are to only record audit events originating from 2x index patterns exclusively:

• aaa-*
• bbb-*

Here is a fragment of our configuration in elasticsearch.yml

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.ignore_filters.name.realms: ["reserved", "__anonymous", "__attach"]
xpack.security.audit.logfile.events.ignore_filters.name.indices: ["~(aaa|bbb)-*"]
xpack.security.audit.logfile.events.ignore_filters.name.users: ["beat"]
xpack.security.audit.logfile.events.emit_request_body: false

• We have tried to achieve our goal by creating a lucene regexp with a negation but this seems to be ignored. Can you point us to a correct solution?
• Will it be possible to include the request body, assuming the per-index filtering is active?

Hi @mmisztal1980 ,

• You need to contain the regexp in /
• You are missing a . because * will match the preceding shortest pattern zero-or-more times and you need to tell it what is the preceding shortest pattern it needs to match ( in your case any character i.e. .

xpack.security.audit.logfile.events.ignore_filters.name.indices: ["/~(aaa|bbb)-.*/"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.