Forwarding audit logs to a remote cluster

When you are auditing security events, you can optionally store the logs in an Elasticsearch index on a remote cluster. The logs are sent to the remote cluster by using the transport client.

  1. Configure auditing such that the logs are stored in Elasticsearch rolling indices. See Index audit output.
  2. Establish a connection to the remote cluster by configuring the following xpack.security.audit.index.client settings:

    xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 
    xpack.security.audit.index.client.cluster.name: logging-prod 
    xpack.security.audit.index.client.xpack.security.user: myuser:mypassword 

    A list of hosts in the remote cluster. If you are not using the default value for the transport.tcp.port setting on the remote cluster, you must specify the appropriate port number (prefixed by a colon) after each host.

    The remote cluster name.

    A valid user and password, which must have authority to create the .security-audit index on the remote cluster.

    For more information about these settings, see Remote audit log indexing configuration settings.

  3. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you must specify extra security settings:

    1. Generate a node certificate on the remote cluster, then copy that certificate to the client.
    2. Enable TLS and specify the information required to access the node certificate.

      • If the signed certificate is in PKCS#12 format, add the following information to the elasticsearch.yml file:

        xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
        xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12
        xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12

        For more information about these settings, see Auditing TLS settings.

      • If the certificate is in PEM format, add the following information to the elasticsearch.yml file:

        xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
        xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key
        xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt
        xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ]

        For more information about these settings, see Auditing TLS settings.

    3. If you secured the certificate with a password, add the password to your Elasticsearch keystore:

      • If the signed certificate is in PKCS#12 format, use the following commands:

        bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
        
        bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
      • If the certificate is in PEM format, use the following commands:

        bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
  4. Restart Elasticsearch.

When these steps are complete, your audit logs are stored in Elasticsearch rolling indices on the remote cluster.