Enabling kibana Audit logs to monitor login/logout activities

Hello team,
We are enabling kibana Audit logs to monitor login/logout activities. But we need only authentication type logs and event.category: database or web we need to drop.

We have added below config in kibana.yml and it is working as expected.

xpack.security.audit.enabled: true
xpack.security.audit.ignore_filters: // filter out database and weblog 
- categories: [database,web]

But, there are certain unwanted logs are coming from other sources where event.category: database is present. We are unable to drop these logs and it is getting ingested into Elasticsearch which taking unnecessary space in our ELK server.

Can you please let us know is there any way to drop all these below events.

Can you please help us to drop logs from below log.file.path:

/app/logs/0c80175b078c444aa4772b5090b91985_server.json
/app/logs/kibana-json.log
/app/logs/gc.output
/app/elastic-agent/data/logs/elastic-agent-20231218.ndjson

Need Below logs only:
Need to get only logs where event.category: authentication and log.file.path: /app/logs/kibana_audit.json

Hi,

you can use a drop processor in an ingest pipeline.

Hi @yago82 ,
thanks for your response . I am able to manage drop events from below files.

filebeat-8.11.1-elasticsearch-gc-pipeline
ctx.log.file.path.contains ('/app/logs/gc.output')
/app/logs/gc.output


filebeat-8.11.1-kibana-log-pipeline-ecs
ctx.log.file.path.contains ('/app/logs/kibana-json.log')
/app/logs/kibana-json.log

filebeat-8.11.1-elasticsearch-audit-pipeline-json 
ctx.log.file.path.contains ('server') || ctx.log.file.path.contains ('/app/elastic-agent/data/logs') 
/app/logs/0c80175b078c444aa4772b5090b91985_server.json

But i am not able to get below one file which ingest pipeline it is using.

/app/elastic-agent/data/logs/elastic-agent-20231225.ndjson

Can you please help me to identify default ingest pipeline name for above file location

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.