Describe the feature:
When we enable X-Pack's Audit Trail as following:
xpack.security.audit:
enabled: true
outputs: [index, logfile]
What we would like to monitor are mainly two things;
- the login actions
- the actions performed by the real actual users, instead of also having
kibana
,logstash
and other NPA users.
However, in the audit logs, there are full of these logs from principle
- kibana
and other NPA users. Because of there are too many of such logs ( Kibana
is basically doing this every several seconds for healthcheck), it takes lots of disk space, and more importantly, we cannot have a clear picture about what the real human users have done. You can see how many logs are generated every minutes:
For example, in the following case, I only what the logs with principle of an actual user name, like the one in the bottom of this image. But there are many logs with principles like kibaba
, _xpack_security
, etc.
This lack-of-feature is also described here by Guy Shilo: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/. He provided a temporary solution which is to configure the log4j.properties
file of x-pack, by adding regex filtering. But this is only a temporary solution, and regex expression we have to define really depending on log style of elastic. This makes our development process not flexible.
Elasticsearch version: 5.6.2