INDEX_EVENT flooding audit logs

Just switched over to OpenSearch 1.3.4 from Elasticsearch and we’re getting a lot of INDEX_EVENT entries in our audit logs. They are rapidly filling up our disk as it contains every index name in it and we are getting thousands of these per hour.

Just wondering what this means, and wondering how we can disable?

    "audit_trace_task_parent_id": "n83eN-39Q_uiA10rV_Ct6w:269975",
    "audit_cluster_name": "opensearch",
    "audit_transport_headers": {
      "_opendistro_security_remote_address_header": /random string/,
      "_opendistro_security_initial_action_class_header": "GetAliasesRequest",
      "_opendistro_security_origin_header": "REST",
      "_opendistro_security_user_header": /random string/,
      "_opendistro_security_remotecn": "opensearch"
    "audit_node_name": "node5",
    "audit_trace_task_id": "3CxQH-mXTYSY0isyQBocRQ:1345439",
    "audit_transport_request_type": "GetAliasesRequest",
    "audit_category": "INDEX_EVENT",
    "audit_request_origin": "REST",
    "audit_node_id": "3CxQH-mXTYSY0isyQBocRQ",
    "audit_request_layer": "TRANSPORT",
    "@timestamp": "2022-08-19T10:25:49.591+00:00",
    "audit_format_version": 4,
    "audit_request_remote_address": "",
    "audit_request_privilege": "indices:admin/aliases/get",
    "audit_node_host_address": "",
    "audit_request_effective_user": "admin",
    "audit_trace_resolved_indices": [
    "audit_node_host_name": "node5.xx.xx.xx"

I tried setting INDEX_EVENT but this resulted in an error:

org.opensearch.bootstrap.StartupException: java.lang.IllegalArgumentException: unknown setting [] did you mean []?

So I tried setting:
opendistro_security.audit.config.disabled_transport_categories: INDEX_EVENT
opendistro_security.audit.config.disabled_rest_categories: INDEX_EVENT
which did not result in an error, but neither of these worked.

What are these events, and any ideas on how I can suppress these? The documentation at Audit logs - OpenSearch documentation makes no mention of INDEX_EVENT types.

@jong Could you share your opensearch.yml file?

I think I’ve managed to disable it through the UI at /app/security-dashboards-plugin#/auditLogging
I wasn’t aware it was configurable in there.

Looks to me like something isn’t quite right with the documentation and the example configs here.

Suggests it should be a string:

Suggests it should be an array:

And those options are not actually accepted by OpenSearch anyway as above. At least in 1.3.4.