Forwarding audit logs to a remote cluster
editForwarding audit logs to a remote cluster
editForwarding audit logs is a feature of the index audit output type which
is deprecated in 6.7.0 and will be removed in 7.0. All settings under the
xpack.security.audit.index
namespace are deprecated.
When you are auditing security events, you can optionally store the logs in an Elasticsearch index on a remote cluster. The logs are sent to the remote cluster by using the transport client.
- Configure auditing such that the logs are stored in Elasticsearch rolling indices. See Index audit output.
-
Establish a connection to the remote cluster by configuring the following
xpack.security.audit.index.client
settings:xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 xpack.security.audit.index.client.cluster.name: logging-prod xpack.security.audit.index.client.xpack.security.user: myuser:mypassword
A list of hosts in the remote cluster. If you are not using the default value for the
transport.port
setting on the remote cluster, you must specify the appropriate port number (prefixed by a colon) after each host.The remote cluster name.
A valid user and password, which must have authority to create the
.security-audit
index on the remote cluster.For more information about these settings, see Remote audit log indexing configuration settings.
-
If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you must specify extra security settings:
- Generate a node certificate on the remote cluster, then copy that certificate to the client.
-
Enable TLS and specify the information required to access the node certificate.
-
If the signed certificate is in PKCS#12 format, add the following information to the
elasticsearch.yml
file:xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12
For more information about these settings, see Auditing TLS settings.
-
If the certificate is in PEM format, add the following information to the
elasticsearch.yml
file:xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]
For more information about these settings, see Auditing TLS settings.
-
-
If you secured the certificate with a password, add the password to your Elasticsearch keystore:
-
If the signed certificate is in PKCS#12 format, use the following commands:
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
-
If the certificate is in PEM format, use the following commands:
bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
-
- Restart Elasticsearch.
When these steps are complete, your audit logs are stored in Elasticsearch rolling indices on the remote cluster.