Enable audit logging (deployment complains about format)

Giorgi_Jambazishvili · September 15, 2022, 7:30am

I try to enable logging on elastic cloud deployment. For this I change the cluster configuration and my yml looks like this:

This configuration complains about the fact that "include" should be type of "text" (" * Elasticsearch - 'xpack.security.audit.logfile.events.include': has to be text)

xpack:
  security:
    audit:
      enabled: true
      logfile:
        events:
          include:
            - "anonymous_access_denied"
            - "authentication_failed"

I've also tried (same complain about text type):

xpack:
  security:
    audit:
      enabled: true
      logfile:
        events:
          include: ["anonymous_access_denied", "authentication_failed"]

also tried to do so (the deployment failed):

xpack:
  security:
    audit:
      enabled: true
      logfile:
        events:
          include: "anonymous_access_denied, authentication_failed"

Can you please assist what would be the correct syntax for adding several event types in the audit log?

linya · October 13, 2022, 4:10am

Giorgi_Jambazishvili:

xpack:
  security:
    audit:
      enabled: true
      logfile:
        events:
          include:
            - "anonymous_access_denied"
            - "authentication_failed"

The following should work, without quotes:

xpack.security.audit.logfile.events.include: anonymous_access_denied, authentication_failed

system · November 10, 2022, 4:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.