X-Pack Elasticsearch Auditing Security Events

I am using X-Pack to keep track of events related to Elasticsearch. Am listening only the authentication_success event, in that am getting both [rest] and [transport] calls. How can I listen to only the [rest] request?

Please have a look at Logfile Audit Event Ignore Policies to omit the events from the transport calls.

i don't think so because already i have looked into it. This willn't solve my problem. Can you please suggest or tell me any other way. My requirement is just omitting the [transport] calls in authentication_success event.

It is not possible to only audit [rest] and not [transport].

now am trying the same using search guard and am using "internal_elasticsearch—writes the events in a separate audit index on the same cluster" but am not receiving any logs in the index.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.