Audit log storage types

Audit logs can take up quite a bit of space, so the Security plugin offers several options for storage locations.

SettingDescription
debugOutputs to stdout. Useful for testing and debugging.
internal_opensearchWrites to an audit index on the current OpenSearch cluster.
internal_opensearch_data_streamWrites to an audit log data stream on the current OpenSearch cluster.
external_opensearchWrites to an audit index on a remote OpenSearch cluster.
webhookSends events to an arbitrary HTTP endpoint.
log4jWrites the events to a Log4j logger. You can use any Log4j appender, such as SNMP, JDBC, Cassandra, and Kafka.

You configure the output location in opensearch.yml:

  1. plugins.security.audit.type: <debug|internal_opensearch|internal_opensearch_data_stream|external_opensearch|webhook|log4j>

internal_opensearch_data_stream, external_opensearch, webhook, and log4j can be customized with additional configuration options. For more information, see Internal OpenSearch data streams.

Internal OpenSearch data streams

You can configure the internal_opensearch_data_stream type with the following parameters.

NameData typeDescription
plugins.security.audit.config.data_stream.nameStringThe name of the audit log data stream. Default is opensearch-security-auditlog.

Template settings

NameData typeDescription
plugins.security.audit.config.data_stream.template.manageBooleanWhen true, the template for the data stream is managed by OpenSearch. Default is true.
plugins.security.audit.config.data_stream.template.nameStringThe name of the data stream template. Default is opensearch-security-auditlog.
plugins.security.audit.config.data_stream.template.number_of_replicasIntegerThe number of replicas for the data stream. Default is 0.
plugins.security.audit.config.data_stream.template.number_of_shardsIntegerThe number of shards for the data stream. Default is 1.

External OpenSearch

The external_opensearch storage type requires one or more OpenSearch endpoints with a host/IP address and port. Optionally, provide the index name and a document type.

  1. plugins.security.audit.type: external_opensearch
  2. plugins.security.audit.config.http_endpoints: [<endpoints>]
  3. plugins.security.audit.config.index: <indexname>
  4. plugins.security.audit.config.type: _doc

The Security plugin uses the OpenSearch REST API to send events, just like any other indexing request. For plugins.security.audit.config.http_endpoints, use a comma-separated list of hosts/IP addresses and the REST port (default 9200).

  1. plugins.security.audit.config.http_endpoints: ['https://my-opensearch-cluster.company.com:9200', 'http://my-opensearch-cluster.company.com:9200', 'my-opensearch-cluster.company.com:9200', '192.168.178.1:9200', '192.168.178.2:9200']

If you use external_opensearch and the remote cluster also uses the Security plugin, you must supply some additional parameters for authentication. These parameters depend on which authentication type you configured for the remote cluster.

TLS settings

NameData typeDescription
plugins.security.audit.config.enable_sslBooleanIf you enabled SSL/TLS on the receiving cluster, set to true. The Default is false.
plugins.security.audit.config.verify_hostnamesBooleanWhether to verify the hostname of the SSL/TLS certificate of the receiving cluster. Default is true.
plugins.security.audit.config.pemtrustedcas_filepathStringThe trusted root certificate of the external OpenSearch cluster, relative to the config directory.
plugins.security.audit.config.pemtrustedcas_contentStringInstead of specifying the path (plugins.security.audit.config.pemtrustedcas_filepath), you can configure the Base64-encoded certificate content directly.
plugins.security.audit.config.enable_ssl_client_authBooleanWhether to enable SSL/TLS client authentication. If you set this to true, the audit log module sends the node’s certificate along with the request. The receiving cluster can use this certificate to verify the identity of the caller.
plugins.security.audit.config.pemcert_filepathStringThe path to the TLS certificate to send to the external OpenSearch cluster, relative to the config directory.
plugins.security.audit.config.pemcert_contentStringInstead of specifying the path (plugins.security.audit.config.pemcert_filepath), you can configure the Base64-encoded certificate content directly.
plugins.security.audit.config.pemkey_filepathStringThe path to the private key of the TLS certificate to send to the external OpenSearch cluster, relative to the config directory.
plugins.security.audit.config.pemkey_contentStringInstead of specifying the path (plugins.security.audit.config.pemkey_filepath), you can configure the Base64-encoded certificate content directly.
plugins.security.audit.config.pemkey_passwordStringThe password of the private key.

Basic auth settings

If you enabled HTTP basic authentication on the receiving cluster, use these settings to specify the username and password:

  1. plugins.security.audit.config.username: <username>
  2. plugins.security.audit.config.password: <password>

Webhook

Use the following keys to configure the webhook storage type.

NameData typeDescription
plugins.security.audit.config.webhook.urlStringThe HTTP or HTTPS URL to send the logs to.
plugins.security.audit.config.webhook.ssl.verifyBooleanIf true, the TLS certificate provided by the endpoint (if any) will be verified. If set to false, no verification is performed. You can disable this check if you use self-signed certificates.
plugins.security.audit.config.webhook.ssl.pemtrustedcas_filepathStringThe path to the trusted certificate against which the webhook’s TLS certificate is validated.
plugins.security.audit.config.webhook.ssl.pemtrustedcas_contentStringSame as plugins.security.audit.config.webhook.ssl.pemtrustedcas_content, but you can configure the base 64 encoded certificate content directly.
plugins.security.audit.config.webhook.formatStringThe format in which the audit log message is logged, can be one of URL_PARAMETER_GET, URL_PARAMETER_POST, TEXT, JSON, SLACK. See Formats.

Formats

FormatDescription
URL_PARAMETER_GETUses HTTP GET to send logs to the webhook URL. All logged information is appended to the URL as request parameters.
URL_PARAMETER_POSTUses HTTP POST to send logs to the webhook URL. All logged information is appended to the URL as request parameters.
TEXTUses HTTP POST to send logs to the webhook URL. The request body contains the audit log message in plain text format.
JSONUses HTTP POST to send logs to the webhook URL. The request body contains the audit log message in JSON format.
SLACKUses HTTP POST to send logs to the webhook URL. The request body contains the audit log message in JSON format suitable for consumption by Slack. The default implementation returns “text”: “<AuditMessage#toText>”.

Log4j

The log4j storage type lets you specify the name of the logger and log level.

  1. plugins.security.audit.config.log4j.logger_name: audit
  2. plugins.security.audit.config.log4j.level: INFO

By default, the Security plugin uses the logger name audit and logs the events on INFO level. Audit events are stored in JSON format.