Kibana rule auditlogs overwhelm audit logs

Hello There,

We are trying to single out user actions, which contains update create or delete actions under audit_logs. Our unix administration trying to catch these logs and produce mail alerts, but since we have rules on kibana tracking log amounts, our audit logs are filled with requests send to all indices and they overwhelm the audit logs.

I checked couple of them, the actions include "indices:data/read/search[can_match]" or request.name:"FieldCapabilitiesIndexRequest". I read that filtering actions is a possibility under audit logging, what is the simplest way of not including these type of actions under audit logs.

We cannot exclude access_granted event.action since we need those to actually audit our own actions.

Best regards.

1 Like

@can.ozdemir haven't tried it myself , but see if this helps:

xpack.security.audit.logfile.events.ignore_filters.<policy_name>.actions

: A list of action names or wildcards. Action name can be found in the action field of the audit event. The specified policy will not print audit events for actions matching these values.

reference: Auditing security settings | Elasticsearch Guide [7.16] | Elastic

I've also see that configuration, but in my perspective that is referring to event.action not the action inside the emitted json body of the log. I do not have gold license on my test environment, so I cannot test it out unfortunately. And i do not want to full cluster restart the production env. to test this. :confused:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.