Audit logs

    To enable audit logging:

    1. Restart each node.

    After this initial setup, you can use OpenSearch Dashboards to manage your audit log categories and other settings. In OpenSearch Dashboards, choose Security, Audit logs.

    Audit logging records events in two ways: HTTP requests (REST) and the transport layer.

    These default log settings work well for most use cases, but you can change settings to save storage space or adapt the information to your exact needs.

    Exclude categories

    To exclude categories, set:

    1. plugins.security.audit.config.disabled_rest_categories: <disabled categories>
    2. plugins.security.audit.config.disabled_transport_categories: <disabled categories>
    1. plugins.security.audit.config.disabled_rest_categories: AUTHENTICATED, opensearch_SECURITY_INDEX_ATTEMPT
    2. plugins.security.audit.config.disabled_transport_categories: GRANTED_PRIVILEGES

    If you want to log events in all categories, use NONE:

    2. plugins.security.audit.config.disabled_transport_categories: NONE

    Disable REST or the transport layer

    By default, the Security plugin logs events on both REST and the transport layer. You can disable either type:

    1. plugins.security.audit.enable_rest: false
    2. plugins.security.audit.enable_transport: false

    By default, the Security plugin includes the body of the request (if available) for both REST and the transport layer. If you do not want or need the request body, you can disable it:

    Log index names

    By default, the Security plugin logs all indices affected by a request. Because index names can be aliases and contain wildcards/date patterns, the Security plugin logs the index name that the user submitted and the actual index name to which it resolves.

    For example, if you use an alias or a wildcard, the audit event might look like:

    1. audit_trace_indices: [
    2. ],
    3. audit_trace_resolved_indices: [
    4.   "humanresources"
    5. ]

    You can disable this feature by setting:

    1. plugins.security.audit.resolve_indices: false

    Disabling this feature only takes effect if plugins.security.audit.log_request_body is also set to false.

    Configure bulk request handling

    Bulk requests can contain many indexing operations. By default, the Security plugin only logs the single bulk request, not each individual operation.

    This change can create a massive number of events in the audit logs, so we don’t recommend enabling this setting if you make heavy use of the _bulk API.

    You can exclude certain requests from being logged completely, by either configuring actions (for transport requests) and/or HTTP request paths (REST):

    1. plugins.security.audit.ignore_requests: ["indices:data/read/*", "SearchRequest"]

    Exclude users

    By default, the Security plugin logs events from all users, but excludes the internal OpenSearch Dashboards server user kibanaserver. You can exclude other users:

    If requests from all users should be logged, use NONE:

    1. plugins.security.audit.ignore_users: NONE

    Configure the audit log index name

    By default, the Security plugin stores audit events in a daily rolling index named auditlog-YYYY.MM.dd. You can configure the name of the index in opensearch.yml:

    1. plugins.security.audit.config.index: myauditlogindex

    Use a date pattern in the index name to configure daily, weekly, or monthly rolling indices:

    1. plugins.security.audit.config.index: "'auditlog-'YYYY.MM.dd"

    For a reference on the date pattern format, see the .

    The Search plugin logs events asynchronously, which keeps performance impact on your cluster minimal. The plugin uses a fixed thread pool to log events. You can define the number of threads in the pool in opensearch.yml: