User name and realm information in audit logs ( user.realm authentication_success


(Ryan Downey) #1

Elasticsearch 6.5.4

I'm trying to fine tune our audit logs a bit and after logging our first audit logs I noticed that they dont provide us with some of the information we'd like. So we have two realms, native and SAML established and working, when I log in via SAML the logs only show "":"_xpack_security", "user.realm":"__attach" which isn't as detailed as we'd like. From what I can tell I need to implement authentication_success: and realm but I'm having some trouble with how exactly thats supposed to be flatened out. Should it be something like: [, realm ]

I can't seem to get the syntax of this straightend out. Appreciate any help. Our current config is below. true [ index, logfile ] true
    number_of_shards: 3
    number_of_replicas: 2

(system) closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.