All of these settings can be added to the elasticsearch.yml
configuration
file. For more information, see
Auditing Security Events.
xpack.security.audit.enabled
true
to enable auditing on the node. The default value is false
.
This puts the auditing events in a dedicated file named <clustername>_audit.json
on each node. For more information, see Configuring logging levels.
The events and some other information about what gets logged can be controlled by using the following settings:
xpack.security.audit.logfile.events.include
access_denied, access_granted, anonymous_access_denied, authentication_failed,
connection_denied, tampered_request, run_as_denied, run_as_granted
.
xpack.security.audit.logfile.events.exclude
xpack.security.audit.logfile.events.emit_request_body
Specifies whether to include the request body from REST requests on certain
event types such as authentication_failed
. The default value is false
.
No filtering is performed when auditing, so sensitive data may be audited in plain text when including the request body in audit events.
xpack.security.audit.logfile.emit_node_name
true
.
xpack.security.audit.logfile.emit_node_host_address
false
.
xpack.security.audit.logfile.emit_node_host_name
false
.
xpack.security.audit.logfile.emit_node_id
<clustername>_access.log
file.
Unlike node name, whose value might change if the administrator
changes the setting in the config file, the node id will persist across cluster
restarts and the administrator cannot change it.
The default value is true
.
These settings affect the ignore policies that enable fine-grained control over which audit events are printed to the log file. All of the settings with the same policy name combine to form a single policy. If an event matches all of the conditions for a specific policy, it is ignored and not printed.
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.users
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.realms
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.roles
xpack.security.audit.logfile.events.ignore_filters.<policy_name>.indices