Describe the feature:
When we enable X-Pack's Audit Trail as following:
xpack.security.audit: enabled: true outputs: [index, logfile]
What we would like to monitor are mainly two things;
- the login actions
- the actions performed by the real actual users, instead of also having
logstashand other NPA users.
However, in the audit logs, there are full of these logs from
kibana and other NPA users. Because of there are too many of such logs (
Kibana is basically doing this every several seconds for healthcheck), it takes lots of disk space, and more importantly, we cannot have a clear picture about what the real human users have done. You can see how many logs are generated every minutes:
For example, in the following case, I only what the logs with principle of an actual user name, like the one in the bottom of this image. But there are many logs with principles like
This lack-of-feature is also described here by Guy Shilo: http://www.idata.co.il/2017/03/securing-elasticsearch-cluster-part-3-auditing/. He provided a temporary solution which is to configure the
log4j.properties file of x-pack, by adding regex filtering. But this is only a temporary solution, and regex expression we have to define really depending on log style of elastic. This makes our development process not flexible.
Elasticsearch version: 5.6.2