I have a strange misconfiguration between our clusters. We have 5 ES clusters. 2 of them get their audit configuration from elasticsearch.yml. On these I can’t turn on audit logging from Kibana and the endpoint _opendistro/_security/api/audit is NOT IMPLEMENTED. The other 3 ignore audit settings elasticsearch.yml and get their configuration from index.
I actually want them to get their configuration from elasticsearch.yml.
Is there some way to disable the dynamic/hot audit configuration and use the config from elasticsearch.yml? Would it work if I somehow deleted the audit type from .opendistro_security?
@jshrue can you show what configuration is being read from elasticsearch.yml as to the best of my knowledge audit log configuration was moved to kibana UI from 1.11.0
What really happened was I was struggling with my newer ES clusters, where the audit logs would begin but then completely die off. Investigating this I wanted to know why the older clusters were configured via elasticsearch.yml and the newer ones via Kibana. I think I have upgraded the older ones a couple times, so they probably started out from 1.9 or 1.10. So this is probably why.
i found a statement in the logs that if I re-run the security configuration it should add the audit type to the security index. Although I don’t like my clusters configured differently, this is probably not worth the risk. I doubt there is a way to make the newer clusters use the elasticsearch.yml config.
The real problem I was struggling with turned out to be that the newer clusters are gettting more traffic and the increase in the compliance logging wasn’t able to write fast enough to a single shard (the audit index defaults to 1 primary, 2 replicas). Turns out being overwhelmed it virtually stopped writing. I configured a template for the audit index, increasing the number of primaries, and this fixed the real problem.