I am using X-Pack to keep track of events related to Elasticsearch. Am listening only the authentication_success event, in that am getting both [rest] and [transport] calls. How can I listen to only the [rest] request?
Please have a look at Logfile Audit Event Ignore Policies to omit the events from the transport calls.
i don't think so because already i have looked into it. This willn't solve my problem. Can you please suggest or tell me any other way. My requirement is just omitting the [transport] calls in authentication_success event.
It is not possible to only audit [rest] and not [transport].
now am trying the same using search guard and am using "internal_elasticsearch—writes the events in a separate audit index on the same cluster" but am not receiving any logs in the index.