Elasticsearch 6.5.4
Linux
I'm trying to fine tune our audit logs a bit and after logging our first audit logs I noticed that they dont provide us with some of the information we'd like. So we have two realms, native and SAML established and working, when I log in via SAML the logs only show "user.name":"_xpack_security", "user.realm":"__attach" which isn't as detailed as we'd like. From what I can tell I need to implement authentication_success: user.run_by.name and realm but I'm having some trouble with how exactly thats supposed to be flatened out. Should it be something like:
xpack.security.audit.logfile.events.authentication_success: [ user.run_by.name, realm ]
I can't seem to get the syntax of this straightend out. Appreciate any help. Our current config is below.
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.index.settings:
index:
number_of_shards: 3
number_of_replicas: 2