Describe the feature:
When we enable X-Pack's Audit Trail as following:
xpack.security.audit:
enabled: true
outputs: [index, logfile]
What we would like to monitor are mainly two things;
- the login actions
- the actions performed by the real actual users, instead of also having
kibana,logstashand other NPA users.
However, in the audit logs, there are full of these logs from principle - kibana and other NPA users. Because of there are too many of such logs ( Kibana is basically doing this every several seconds for healthcheck), it takes lots of disk space, and more importantly, we cannot have a clear picture about what the real human users have done. You can see how many logs are generated every minutes:
For example, in the following case, I only what the logs with principle of an actual user name, like the one in the bottom of this image. But there are many logs with principles like kibaba, _xpack_security, etc.
This lack-of-feature is also described here by Guy Shilo: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/. He provided a temporary solution which is to configure the log4j.properties file of x-pack, by adding regex filtering. But this is only a temporary solution, and regex expression we have to define really depending on log style of elastic. This makes our development process not flexible.
Elasticsearch version: 5.6.2