X-Pack Elasticsearch Auditing Security Events

(Gokul Raj S) #1

I am using X-Pack to keep track of events related to Elasticsearch. Am listening only the authentication_success event, in that am getting both [rest] and [transport] calls. How can I listen to only the [rest] request?

(Sherry Ger) #2

Please have a look at Logfile Audit Event Ignore Policies to omit the events from the transport calls.

(Gokul Raj S) #3

i don't think so because already i have looked into it. This willn't solve my problem. Can you please suggest or tell me any other way. My requirement is just omitting the [transport] calls in authentication_success event.

(Tim Vernum) #4

It is not possible to only audit [rest] and not [transport].

(Gokul Raj S) #5

now am trying the same using search guard and am using "internal_elasticsearch—writes the events in a separate audit index on the same cluster" but am not receiving any logs in the index.

(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.