Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: cccc3f7a64
Branches Tags
elasticsearch
/
docs
/
reference
/
settings
/
audit-settings.asciidoc

audit-settings.asciidoc 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165 
  1. [role="xpack"]
    2. 

  2. [[auditing-settings]]
    3. 

  3. === Auditing Security Settings
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Auditing Settings</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. All of these settings can be added to the `elasticsearch.yml` configuration
    9. 

  9. file. For more information, see
    10. 

  10. {xpack-ref}/auditing.html[Auditing Security Events].
    11. 

  11. 

  12. [[general-audit-settings]]
    13. 

  13. ==== General Auditing Settings
    14. 

  14. 

  15. `xpack.security.audit.enabled`::
    16. 

  16. Set to `true` to enable auditing on the node. The default value is `false`.
    17. 

  17. 

  18. `xpack.security.audit.outputs`::
    19. 

  19. Specifies where audit logs are output. For example: `[ index, logfile ]`. The
    20. 

  20. default value is `logfile`, which puts the auditing events in a dedicated
    21. 

  21. `<clustername>_access.log` file on the node. You can also specify `index`, which
    22. 

  22. puts the auditing events in an {es} index that is prefixed with
    23. 

  23. `.security_audit_log`. The index can reside on the same cluster or a separate
    24. 

  24. cluster.
    25. 

  25. +
    26. 

  26. --
    27. 

  27. TIP: If the index is unavailable, it is possible for auditing events to
    28. 

  28. be lost. The `index` output type should therefore be used in conjunction with
    29. 

  29. the `logfile` output type and the latter should be the official record of events.
    30. 

  30. 

  31. --
    32. 

  32. 

  33. [[event-audit-settings]]
    34. 

  34. ==== Audited Event Settings
    35. 

  35. 

  36. The events and some other information about what gets logged can be
    37. 

  37. controlled by using the following settings:
    38. 

  38. 

  39. `xpack.security.audit.logfile.events.include`::
    40. 

  40. Specifies which events to include in the auditing output. The default value is:
    41. 

  41. `access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted`.
    42. 

  42. 

  43. `xpack.security.audit.logfile.events.exclude`::
    44. 

  44. Excludes the specified events from the output. By default, no events are
    45. 

  45. excluded.
    46. 

  46. 

  47. `xpack.security.audit.logfile.events.emit_request_body`::
    48. 

  48. Specifies whether to include the request body from REST requests on certain
    49. 

  49. event types such as `authentication_failed`. The default value is `false`.
    50. 

  50. +
    51. 

  51. --
    52. 

  52. IMPORTANT: No filtering is performed when auditing, so sensitive data may be
    53. 

  53. audited in plain text when including the request body in audit events.
    54. 

  54. 

  55. --
    56. 

  56. 

  57. [[node-audit-settings]]
    58. 

  58. ==== Local Node Info Settings
    59. 

  59. 

  60. `xpack.security.audit.logfile.prefix.emit_node_name`::
    61. 

  61. Specifies whether to include the node's name in the local node info. The
    62. 

  62. default value is `true`.
    63. 

  63. 

  64. `xpack.security.audit.logfile.prefix.emit_node_host_address`::
    65. 

  65. Specifies whether to include the node's IP address in the local node info. The
    66. 

  66. default value is `false`.
    67. 

  67. 

  68. `xpack.security.audit.logfile.prefix.emit_node_host_name`::
    69. 

  69. Specifies whether to include the node's host name in the local node info. The
    70. 

  70. default value is `false`.
    71. 

  71. 

  72. [[index-audit-settings]]
    73. 

  73. ==== Audit Log Indexing Configuration Settings
    74. 

  74. 

  75. `xpack.security.audit.index.bulk_size`::
    76. 

  76. Controls how many audit events are batched into a single write. The default
    77. 

  77. value is `1000`.
    78. 

  78. 

  79. `xpack.security.audit.index.flush_interval`::
    80. 

  80. Controls how often buffered events are flushed to the index. The default value
    81. 

  81. is `1s`.
    82. 

  82. 

  83. `xpack.security.audit.index.rollover`::
    84. 

  84. Controls how often to roll over to a new index: `hourly`, `daily`, `weekly`, or
    85. 

  85. `monthly`. The default value is `daily`.
    86. 

  86. 

  87. `xpack.security.audit.index.events.include`::
    88. 

  88. Specifies the audit events to be indexed. The default value is
    89. 

  89. `anonymous_access_denied, authentication_failed, realm_authentication_failed, access_granted, access_denied, tampered_request, connection_granted, connection_denied, run_as_granted, run_as_denied`.
    90. 

  90. See {xpack-ref}/audit-event-types.html[Audit Entry Types] for the
    91. 

  91. complete list.
    92. 

  92. 

  93. `xpack.security.audit.index.events.exclude`::
    94. 

  94. Excludes the specified auditing events from indexing. By default, no events are
    95. 

  95. excluded.
    96. 

  96. 

  97. `xpack.security.audit.index.events.emit_request_body`::
    98. 

  98. Specifies whether to include the request body from REST requests on certain
    99. 

  99. event types such as `authentication_failed`. The default value is `false`.
    100. 

  100. 

  101. `xpack.security.audit.index.settings`::
    102. 

  102. Specifies settings for the indices that the events are stored in. For example,
    103. 

  103. the following configuration sets the number of shards and replicas to 1 for the
    104. 

  104. audit indices:
    105. 

  105. +
    106. 

  106. --
    107. 

  107. [source,yaml]
    108. 

  108. ----------------------------
    109. 

  109. xpack.security.audit.index.settings:
    110. 

  110.   index:
    111. 

  111.     number_of_shards: 1
    112. 

  112.     number_of_replicas: 1
    113. 

  113. ----------------------------
    114. 

  114. --
    115. 

  115. +
    116. 

  116. --
    117. 

  117. NOTE: These settings apply to the local audit indices, as well as to the
    118. 

  118. <<remote-audit-settings, remote audit indices>>, but only if the remote cluster
    119. 

  119. does *not* have {security} installed, or the {es} versions are different.
    120. 

  120. If the remote cluster has {security} installed, and the versions coincide, the
    121. 

  121. settings for the audit indices there will take precedence,
    122. 

  122. even if they are unspecified (i.e. left to defaults).
    123. 

  123. --
    124. 

  124. 

  125. [[remote-audit-settings]]
    126. 

  126. ==== Remote Audit Log Indexing Configuration Settings
    127. 

  127. 

  128. To index audit events to a remote {es} cluster, you configure the following
    129. 

  129. `xpack.security.audit.index.client` settings:
    130. 

  130. 

  131. `xpack.security.audit.index.client.hosts`::
    132. 

  132. Specifies a comma-separated list of `host:port` pairs. These hosts should be
    133. 

  133. nodes in the remote cluster. If you are using default values for the 
    134. 

  134. <<common-network-settings,`transport.tcp.port`>> setting, you can omit the 
    135. 

  135. `port` value. Otherwise, it must match the `transport.tcp.port` setting. 
    136. 

  136. 

  137. `xpack.security.audit.index.client.cluster.name`::
    138. 

  138. Specifies the name of the remote cluster.
    139. 

  139. 

  140. `xpack.security.audit.index.client.xpack.security.user`::
    141. 

  141. Specifies the `username:password` pair that is used to authenticate with the
    142. 

  142. remote cluster. This user must have authority to create the `.security-audit` 
    143. 

  143. index on the remote cluster. 
    144. 

  144. 

  145. If the remote {es} cluster has Transport Layer Security (TLS/SSL) enabled, you 
    146. 

  146. must set the following setting to `true`:
    147. 

  147. 

  148. `xpack.security.audit.index.client.xpack.security.transport.ssl.enabled`::
    149. 

  149. Used to enable or disable TLS/SSL for the transport client that forwards audit 
    150. 

  150. logs to the remote cluster. The default is `false`. 
    151. 

  151. 

  152. You must also specify the information necessary to access certificates. See 
    153. 

  153. <<auditing-tls-ssl-settings>>. 
    154. 

  154. 

  155. You can pass additional settings to the remote client by specifying them in the
    156. 

  156. `xpack.security.audit.index.client` namespace. For example, you can add 
    157. 

  157. <<modules-transport,transport settings>> and 
    158. 

  158. <<tcp-settings,advanced TCP settings>> in that namespace. To allow the remote
    159. 

  159. client to discover all of the nodes in the remote cluster you can specify the
    160. 

  160. `client.transport.sniff` setting:
    161. 

  161. 

  162. [source,yaml]
    163. 

  163. ----------------------------
    164. 

  164. xpack.security.audit.index.client.transport.sniff: true
    165. 

  165. ----------------------------
    166.