This topic describes how to enable the audit log indexing feature for your Alibaba Cloud Elasticsearch cluster, view the auditing event log file, and configure the related parameters.
Enable audit log indexing
Configure audit log indexing
xpack.security.audit.index.bulk_size: 5000 xpack.security.audit.index.events.emit_request_body: false xpack.security.audit.index.events.exclude: run_as_denied,anonymous_access_denied,realm_authentication_failed,access_denied,connection_denied xpack.security.audit.index.events.include: authentication_failed,access_granted,tampered_request,connection_granted,run_as_granted xpack.security.audit.index.flush_interval: 180s xpack.security.audit.index.rollover: hourly xpack.security.audit.index.settings.index.number_of_replicas: 1 xpack.security.audit.index.settings.index.number_of_shards: 10
|Configuration item||Default value||Description|
||Specifies the number of auditing events when you write them into a single auditing log index in batches.|
||Specifies the frequency of flushing buffered auditing events to the index.|
||Specifies the frequency of rolling over to a new index. Valid values:
||Specifies the types of auditing events to be included in indexing. For more information about the auditing event types, see Audit Event Types.|
||Specifies the types of auditing events to be excluded from indexing.|
||Specifies whether to include the body of REST requests upon specific events, such
- If an auditing event contains the
request body, sensitive data in plaintext may be compromised.
- After the audit log indexing feature is enabled, auditing events are saved to your
cluster and added to the index that has prefix
.security_audit_log-*. This index consumes the storage space of your cluster. Elasticsearch does not automatically clear expired indexes. You must manually clear expired auditing log indexes.
xpack.security.audit.index.settingsto configure the indexes in which the auditing events are stored. The following example shows you how to set both the numbers of shards and replicas to
1for auditing log indexes.
xpack.security.audit.index.settings: index: number_of_shards: 1 number_of_replicas: 1
trueto enable audit log indexing. After the configuration takes effect, auditing log indexes are created in your Elasticsearch cluster. If you do not customize the configuration, your Elasticsearch cluster uses default settings
number_of_replicas: 1to create the indexes.
For more information, see Auditing Security Settings.