How to index Elasticsearch security audit events in 7.0?

(Matt Vasquez) #1

So I've just recently upgraded to 7.0 from 6.7 and had to take out:
xpack.security.audit.outputs: [index, log]

from the elasticsearch.yml config file due to deprecation in 7.0?

As I understand now security audit event are now logged to a json log file. Whats the proper way to index this? Filebeat? Logstash? I don't understand why they took this feature away.. Broke all my security audit visualizations/dashboards

(system) closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.