Skip to content

Data Stream support for Audit- Log #8356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Oct 29, 2024
Merged

Data Stream support for Audit- Log #8356

Changes from 13 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
384922b
Opensearch Data Stream auditlog
tmanninger Sep 24, 2024
cd9af32
Opensearch Data Stream auditlog
tmanninger Sep 24, 2024
33f5bc3
Opensearch Data Stream auditlog
tmanninger Sep 24, 2024
6f8cdb1
Change shards default value
tmanninger Sep 25, 2024
eca0bb5
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
7f7b340
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
50721f7
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
9da9d67
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
a5dad4e
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
6c0d4ce
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
c80eb8c
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
ec73160
Update _security/audit-logs/storage-types.md
tmanninger Oct 16, 2024
744dcb8
Merge branch 'main' into auditlog_internal_datastream
Naarcha-AWS Oct 28, 2024
3409cd0
Apply suggestions from code review
Naarcha-AWS Oct 28, 2024
4b297b4
Update _security/audit-logs/storage-types.md
tmanninger Oct 29, 2024
8785afc
Merge branch 'main' into auditlog_internal_datastream
Naarcha-AWS Oct 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 23 additions & 2 deletions _security/audit-logs/storage-types.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,38 @@
:--- | :---
debug | Outputs to stdout. Useful for testing and debugging.
internal_opensearch | Writes to an audit index on the current OpenSearch cluster.
internal_opensearch_data_stream | Writes to an audit Data Stream on the current OpenSearch cluster.
external_opensearch | Writes to an audit index on a remote OpenSearch cluster.
webhook | Sends events to an arbitrary HTTP endpoint.
log4j | Writes the events to a Log4j logger. You can use any Log4j [appender](https://logging.apache.org/log4j/2.x/manual/appenders.html), such as SNMP, JDBC, Cassandra, and Kafka.

You configure the output location in `opensearch.yml`:

```
plugins.security.audit.type: <debug|internal_opensearch|external_opensearch|webhook|log4j>
plugins.security.audit.type: <debug|internal_opensearch|internal_opensearch_data_stream|external_opensearch|webhook|log4j>
```

`external_opensearch`, `webhook`, and `log4j` all have additional configuration options. Details follow.
`internal_opensearch_data_stream`, `external_opensearch`, `webhook`, and `log4j` all have additional configuration options. Details follow.


## Internal OpenSearch data streams

You can configure the `internal_opensearch_data_stream` type with the following configuration parameters.

### Basic settings

Name | Data type | Description
:--- | :--- | :---
`plugins.security.audit.config.data_stream.name` | String | The name of the audit log data stream. Default is `opensearch-security-auditlog`.

### Template settings

Name | Data type | Description
:--- | :--- | :---
`plugins.security.audit.config.data_stream.template.manage` | Boolean | If `true`, the template for the data stream is managed by Opensearch. Default is `true`.

Check failure on line 47 in _security/audit-logs/storage-types.md

View workflow job for this annotation

GitHub Actions / style-job 

[vale] reported by reviewdog 🐶
[Vale.Terms] Use 'OpenSearch' instead of 'Opensearch'.

Raw Output:
{"message": "[Vale.Terms] Use 'OpenSearch' instead of 'Opensearch'.", "location": {"path": "_security/audit-logs/storage-types.md", "range": {"start": {"line": 47, "column": 131}}}, "severity": "ERROR"}
`plugins.security.audit.config.data_stream.template.name` | String | The name of the data stream template. Default is `opensearch-security-auditlog`.
`plugins.security.audit.config.data_stream.template.number_of_replicas` | Integer | The number of replicas for the data stream. Default is `0`.
`plugins.security.audit.config.data_stream.template.number_of_shards` | Integer | The number of shards for the data stream. Default is `1`.


## External OpenSearch
Expand Down
Loading