This topic describes how to enable the audit log indexing feature for your Alibaba Cloud Elasticsearch cluster, view the auditing event log file, and configure the related parameters.

Enable audit log indexing

Note The audit log indexing feature is unavailable for Elasticsearch V7.4.0 clusters.
By default, Elasticsearch does not allow you to view the auditing event log file that contains request information. If you want to view the log file, you must log on to the Elasticsearch console and enable the audit log indexing feature for your Elasticsearch cluster. After the audit log indexing feature is enabled, auditing events are saved to your cluster and added to the index that has prefix .security_audit_log-*.Enable audit log indexing

Configure audit log indexing

After the audit log indexing feature is enabled, you can customize the configuration of this feature. The sample code is as follows:
xpack.security.audit.index.bulk_size: 5000
xpack.security.audit.index.events.emit_request_body: false
xpack.security.audit.index.events.exclude: run_as_denied,anonymous_access_denied,realm_authentication_failed,access_denied,connection_denied
xpack.security.audit.index.events.include: authentication_failed,access_granted,tampered_request,connection_granted,run_as_granted
xpack.security.audit.index.flush_interval: 180s
xpack.security.audit.index.rollover: hourly
xpack.security.audit.index.settings.index.number_of_replicas: 1
xpack.security.audit.index.settings.index.number_of_shards: 10
Configuration item Default value Description
xpack.security.audit.index.bulk_size 1000 Specifies the number of auditing events when you write them into a single auditing log index in batches.
xpack.security.audit.index.flush_interval 1s Specifies the frequency of flushing buffered auditing events to the index.
xpack.security.audit.index.rollover daily Specifies the frequency of rolling over to a new index. Valid values: hourly, daily, weekly, and monthly.
xpack.security.audit.index.events.include access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted Specifies the types of auditing events to be included in indexing. For more information about the auditing event types, see Audit Event Types.
xpack.security.audit.index.events.exclude null, which indicates that no auditing event is processed Specifies the types of auditing events to be excluded from indexing.
xpack.security.audit.index.events.emit_request_body false Specifies whether to include the body of REST requests upon specific events, such as authentication_failed.
Notice
  • If an auditing event contains the request body, sensitive data in plaintext may be compromised.
  • After the audit log indexing feature is enabled, auditing events are saved to your cluster and added to the index that has prefix .security_audit_log-*. This index consumes the storage space of your cluster. Elasticsearch does not automatically clear expired indexes. You must manually clear expired auditing log indexes.
You can also use xpack.security.audit.index.settings to configure the indexes in which the auditing events are stored. The following example shows you how to set both the numbers of shards and replicas to 1 for auditing log indexes.
xpack.security.audit.index.settings:
  index:
    number_of_shards: 1
    number_of_replicas: 1
Note If you want to configure custom values for auditing log indexes, add the preceding settings to the YML configuration after you set xpack.security.audit.enabled to true to enable audit log indexing. After the configuration takes effect, auditing log indexes are created in your Elasticsearch cluster. If you do not customize the configuration, your Elasticsearch cluster uses default settings number_of_shards: 5 and number_of_replicas: 1 to create the indexes.

For more information, see Auditing Security Settings.