Startsida Utforska Hjälp
Logga in
lqb
/
elasticsearch
spegling av https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Filer Ärenden 0 Wiki
Träd: f12bfb4684
Grenar Taggar
elasticsearch
/
x-pack
/
docs
/
en
/
security
/
auditing
/
output-index.asciidoc

output-index.asciidoc 2.0 KB
Historik

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 
  1. [role="xpack"]
    2. 

  2. [[audit-index]]
    3. 

  3. === Index audit output
    4. 

  4. 

  5. In addition to logging to a file, you can store audit logs in Elasticsearch
    6. 

  6. rolling indices. These indices can be either on the same cluster, or on a
    7. 

  7. remote cluster. You configure the following settings in
    8. 

  8. `elasticsearch.yml` to control how audit entries are indexed. To enable
    9. 

  9. this output, you need to configure the setting `xpack.security.audit.outputs`
    10. 

  10. in the `elasticsearch.yml` file:
    11. 

  11. 

  12. [source,yaml]
    13. 

  13. ----------------------------
    14. 

  14. xpack.security.audit.outputs: [ index, logfile ]
    15. 

  15. ----------------------------
    16. 

  16. 

  17. For more configuration options, see
    18. 

  18. {ref}/auditing-settings.html#index-audit-settings[Audit log indexing configuration settings].
    19. 

  19. 

  20. IMPORTANT: No filtering is performed when auditing, so sensitive data may be
    21. 

  21. audited in plain text when including the request body in audit events.
    22. 

  22. 

  23. [float]
    24. 

  24. ==== Audit index settings
    25. 

  25. 

  26. You can also configure settings for the indices that the events are stored in.
    27. 

  27. These settings are configured in the `xpack.security.audit.index.settings` namespace
    28. 

  28. in `elasticsearch.yml`. For example, the following configuration sets the
    29. 

  29. number of shards and replicas to 1 for the audit indices:
    30. 

  30. 

  31. [source,yaml]
    32. 

  32. ----------------------------
    33. 

  33. xpack.security.audit.index.settings:
    34. 

  34.   index:
    35. 

  35.     number_of_shards: 1
    36. 

  36.     number_of_replicas: 1
    37. 

  37. ----------------------------
    38. 

  38. 

  39. These settings apply to the local audit indices, as well as to the
    40. 

  40. <<forwarding-audit-logfiles, remote audit indices>>, but only if the remote cluster
    41. 

  41. does *not* have {security-features} enabled or the {es} versions are different.
    42. 

  42. If the remote cluster has {security-features} enabled and the versions coincide,
    43. 

  43. the settings for the audit indices there will take precedence,
    44. 

  44. even if they are unspecified (i.e. left to defaults).
    45. 

  45. 

  46. NOTE: Audit events are batched for indexing so there is a lag before
    47. 

  47. events appear in the index. You can control how frequently batches of
    48. 

  48. events are pushed to the index by setting
    49. 

  49. `xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.
    50.