AuditLog index filtering problem

mmisztal1980 · January 3, 2019, 5:15pm

Hi. We are using the ElasticStack v 6.5.3 .

Our requirements are to only record audit events originating from 2x index patterns exclusively:

aaa-*
bbb-*

Here is a fragment of our configuration in elasticsearch.yml

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.ignore_filters.name.realms: ["reserved", "__anonymous", "__attach"]
xpack.security.audit.logfile.events.ignore_filters.name.indices: ["~(aaa|bbb)-*"]
xpack.security.audit.logfile.events.ignore_filters.name.users: ["beat"]
xpack.security.audit.logfile.events.emit_request_body: false

We have tried to achieve our goal by creating a lucene regexp with a negation but this seems to be ignored. Can you point us to a correct solution?
Will it be possible to include the request body, assuming the per-index filtering is active?

ikakavas · January 7, 2019, 9:38am

Hi @mmisztal1980 ,

You need to contain the regexp in /
You are missing a . because * will match the preceding shortest pattern zero-or-more times and you need to tell it what is the preceding shortest pattern it needs to match ( in your case any character i.e. .

xpack.security.audit.logfile.events.ignore_filters.name.indices: ["/~(aaa|bbb)-.*/"]

system · February 4, 2019, 9:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
6.4 xpack.security.audit.logfile.events.ignore_filters.*.realms broken? Elasticsearch	9	1159	January 17, 2019
Ignore_filters option for audit index method Elasticsearch	1	434	March 7, 2018
Audit Log Exclude by Origin / Principal Elasticsearch	8	1704	February 22, 2018
Issues with Audit Log Elasticsearch	8	1231	January 4, 2018
How to index Elasticsearch security audit events in 7.0? Elasticsearch	1	312	May 17, 2019

AuditLog index filtering problem

Related topics