Hello,
I would like to avoid messages like the followings inside my {cluster_name}_audit.log:
{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"kibana", "user.realm":"reserved", "user.roles":["kibana_system"], xxxxxxxxxxxxxxxx}
{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"nagios", "user.realm":"reserved", "user.roles":["nagios_role"], xxxxxxxxxxxxxxxx}
{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], xxxxxxxxxxxxxxxx}
Do you know what i have to set inside the log4j.properties to avoid this kind of messages? I have tried with a sum of regex expressions but it is not work for me, the only regex filter that works is the following:
appender.audit_rolling.filter.regex.regex = .*kibana\".*|.*\"nagios\".*|.*\"elastic\".*
but I would like to be more accurate and capture something like this:
appender.audit_rolling.filter.regex.regex = .*user.name\":\"kibana.*|.*user.name\":\"nagios.*|.*user.name\":\"elastic.*
I have test with some regex filter calculator and this works but in elasticsearch does not.
Could you help me? The version of my elasticsearch cluster is 6.8.4
Thanks for all.
Best Regards