Hi. We are using the ElasticStack v 6.5.3 .
Our requirements are to only record audit events originating from 2x index patterns exclusively:
- aaa-*
- bbb-*
Here is a fragment of our configuration in elasticsearch.yml
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.ignore_filters.name.realms: ["reserved", "__anonymous", "__attach"]
xpack.security.audit.logfile.events.ignore_filters.name.indices: ["~(aaa|bbb)-*"]
xpack.security.audit.logfile.events.ignore_filters.name.users: ["beat"]
xpack.security.audit.logfile.events.emit_request_body: false
- We have tried to achieve our goal by creating a lucene regexp with a negation but this seems to be ignored. Can you point us to a correct solution?
- Will it be possible to include the request body, assuming the per-index filtering is active?