X-Pack Audit Trail logs cannot further specified

Describe the feature:

When we enable X-Pack's Audit Trail as following:

  enabled: true
  outputs: [index, logfile]

What we would like to monitor are mainly two things;

  • the login actions
  • the actions performed by the real actual users, instead of also having kibana, logstash and other NPA users.

However, in the audit logs, there are full of these logs from principle - kibana and other NPA users. Because of there are too many of such logs ( Kibana is basically doing this every several seconds for healthcheck), it takes lots of disk space, and more importantly, we cannot have a clear picture about what the real human users have done. You can see how many logs are generated every minutes:

For example, in the following case, I only what the logs with principle of an actual user name, like the one in the bottom of this image. But there are many logs with principles like kibaba, _xpack_security, etc.

This lack-of-feature is also described here by Guy Shilo: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/. He provided a temporary solution which is to configure the log4j.properties file of x-pack, by adding regex filtering. But this is only a temporary solution, and regex expression we have to define really depending on log style of elastic. This makes our development process not flexible.

Elasticsearch version: 5.6.2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.