Log4j regex filter to avoid audit logs


I would like to avoid messages like the followings inside my {cluster_name}_audit.log:

{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"kibana", "user.realm":"reserved", "user.roles":["kibana_system"], xxxxxxxxxxxxxxxx}
{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"nagios", "user.realm":"reserved", "user.roles":["nagios_role"], xxxxxxxxxxxxxxxx}
{"@timestamp":"2020-04-01T10:11:54,869", "xxxxxxxxxxxxxxxxxxx"user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], xxxxxxxxxxxxxxxx}

Do you know what i have to set inside the log4j.properties to avoid this kind of messages? I have tried with a sum of regex expressions but it is not work for me, the only regex filter that works is the following:

appender.audit_rolling.filter.regex.regex = .*kibana\".*|.*\"nagios\".*|.*\"elastic\".*

but I would like to be more accurate and capture something like this:

appender.audit_rolling.filter.regex.regex = .*user.name\":\"kibana.*|.*user.name\":\"nagios.*|.*user.name\":\"elastic.*
I have test with some regex filter calculator and this works but in elasticsearch does not.

Could you help me? The version of my elasticsearch cluster is 6.8.4

Thanks for all.
Best Regards

Hi there Javier, what you need is audit log exclude policies i.e. something like

    users: ["kibana", "nagios", "elastic"]

Hello Ikakavas,

Yes I know this configuration inside the elasticsearch.yml and via API (cluster settings API) but I would like to know if the regex filters are been deprecated or removed in version 6.x because in version 5.6 it works fine!!!

Do you know if there have been any changes regarding this topic?

Thanks for all.
Best Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.