Audit log configuration not applying

Security
1

Versions (relevant - OpenSearch):

v2.7.0

Describe the issue:

When applying audit log settings they do not take effect. See screenshot of the configuration not being applied. Its also worth pointing out i removed the ignore_users setting as it was throwing an error.

plugins.security.audit.config.ignore_users:
  - kibanaserver
  - filebeat

The work around is to use the UI to configure however this is not efficient for us as its an additional step following installation and every time we re-apply our code for configuration updates the configuration gets removed and requires re-applying via the UI.

Any help would be really appreciated to get this fixed.

Configuration:

plugins.security.audit.config.index: "security-auditlog-'YYYY.MM.dd'"
plugins.security.audit.type: internal_opensearch
plugins.security.allow_unsafe_democertificates: false
plugins.security.allow_default_init_securityindex: false
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.log_request_body: true
plugins.security.audit.config.resolve_indices: true
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE

Relevant Logs or Screenshots:

Screenshot 2023-05-30 at 17.44.48
Screenshot 2023-05-30 at 17.44.481837×584 36.1 KB

2

@jamie.stewart I did some testing with just plugins.security.audit.config.enable_rest. I’ve set it to false and tried to disable audit logging at REST.

It didn’t work in 2.7, 1.0.0 and OpenDistro 1.13.2. 1.9.0 (opendistro_security.audit.enable_rest). It looks like this never worked.
I was able to disable auditing REST with UI only.

There is already a bug reported in the OpenSearch Security plugin.

3

Thanks for the info.