We are trying to single out user actions, which contains update create or delete actions under audit_logs. Our unix administration trying to catch these logs and produce mail alerts, but since we have rules on kibana tracking log amounts, our audit logs are filled with requests send to all indices and they overwhelm the audit logs.
I checked couple of them, the actions include "indices:data/read/search[can_match]" or request.name:"FieldCapabilitiesIndexRequest". I read that filtering actions is a possibility under audit logging, what is the simplest way of not including these type of actions under audit logs.
We cannot exclude access_granted event.action since we need those to actually audit our own actions.
: A list of action names or wildcards. Action name can be found in the action field of the audit event. The specified policy will not print audit events for actions matching these values.
I've also see that configuration, but in my perspective that is referring to event.action not the action inside the emitted json body of the log. I do not have gold license on my test environment, so I cannot test it out unfortunately. And i do not want to full cluster restart the production env. to test this.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
