User name and realm information in audit logs (user.name user.realm authentication_success user.run_by.name)

security

(Ryan Downey) #1

Elasticsearch 6.5.4
Linux

I'm trying to fine tune our audit logs a bit and after logging our first audit logs I noticed that they dont provide us with some of the information we'd like. So we have two realms, native and SAML established and working, when I log in via SAML the logs only show "user.name":"_xpack_security", "user.realm":"__attach" which isn't as detailed as we'd like. From what I can tell I need to implement authentication_success: user.run_by.name and realm but I'm having some trouble with how exactly thats supposed to be flatened out. Should it be something like:

xpack.security.audit.logfile.events.authentication_success: [ user.run_by.name, realm ]

I can't seem to get the syntax of this straightend out. Appreciate any help. Our current config is below.

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.emit_request_body: true
xpack.security.audit.index.settings:
  index:
    number_of_shards: 3
    number_of_replicas: 2

(system) closed #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.