Skip to content

Commit

Permalink
[DOCS] Clarifies recommendation for audit index output type (#31146)
Browse files Browse the repository at this point in the history
  • Loading branch information
lcawl committed Jun 7, 2018
1 parent c0abfe7 commit 8dd75e5
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 12 deletions.
1 change: 0 additions & 1 deletion x-pack/docs/en/security/auditing/event-types.asciidoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
[role="xpack"]
[float]
[[audit-event-types]]
=== Audit event types

Expand Down
6 changes: 5 additions & 1 deletion x-pack/docs/en/security/auditing/output-index.asciidoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
[role="xpack"]
[float]
[[audit-index]]
=== Index audit output

Expand Down Expand Up @@ -36,3 +35,8 @@ xpack.security.audit.index.settings:
number_of_shards: 1
number_of_replicas: 1
----------------------------

NOTE: Audit events are batched for indexing so there is a lag before
events appear in the index. You can control how frequently batches of
events are pushed to the index by setting
`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.
1 change: 0 additions & 1 deletion x-pack/docs/en/security/auditing/output-logfile.asciidoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
[role="xpack"]
[float]
[[audit-log-output]]
=== Logfile audit output

Expand Down
13 changes: 4 additions & 9 deletions x-pack/docs/en/security/auditing/overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -29,12 +29,7 @@ indexing by setting `xpack.security.audit.outputs` in `elasticsearch.yml`:
xpack.security.audit.outputs: [ index, logfile ]
----------------------------

The `index` output type should be used in conjunction with the `logfile`
output type Because it is possible for the `index` output type to lose
messages if the target index is unavailable, the `access.log` should be
used as the official record of events.

NOTE: Audit events are batched for indexing so there is a lag before
events appear in the index. You can control how frequently batches of
events are pushed to the index by setting
`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.
TIP: If you choose to enable the `index` output type, we strongly recommend that
you still use the `logfile` output as the official record of events. If the
target index is unavailable (for example, during a rolling upgrade), the `index`
output can lose messages.

0 comments on commit 8dd75e5

Please sign in to comment.