I was reading about some problems with auditing already in spring and was hoping that it would be fixed by now, but no cigar.
Because we are running Elastic stack as a log management / SIEM system, it is extremely important to secure it properly.
In order to keep an eye on the cluster, I need to be able to get proper audit logs (who is accessing, when, from where and what was requested etc.)
I am able to enable the audit log, log it into a file and transport the audit index to remote cluster over SSL.
But there are two issues I would like someone to address:
xpack.security.audit.logfile.events.emit_request_body option is really not working, right?
I cannot see the request made, only what type of request it was, and that is really not helping.
The audit log is flooded by cluster maintenace messages and such. Is there a guide how to ignore these messages form ever getting into the audit log, or what would you guys suggest?
These issues have been presented at least in this blog, which is in google’s top results: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/
My cluster is running Elastic stack 5.6.4.
PS. Enabling SSL secured remote audit indexing was a bit confusing. More documentation about it would be nice. At first I didn't understood that I have to explicitly enable SSL also for the indexing client setting.