You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There have been reports from users who index audit logs to a remote cluster, that the index settings config option should be clarified that it only applies when used locally.
Users have been modifying this setting, expecting it to reflect to the remote cluster's index layout - which isn't the case. The remote index gets created with whatever is dictated by the templates or settings of the remote cluster.
xpack.security.audit.index.settings
Specifies settings for the indices that the events are stored in. For example, the following configuration sets the number of shards and replicas to 1 for the audit indices:
xpack.security.audit.index.settings:
index:
number_of_shards: 1
number_of_replicas: 1
@kostasb I have raised #30923 .
However, the settings don't only apply locally. They apply when indexing to remote too, but only if X-Pack security is not installed there.
kostasb
changed the title
[DOCS] Clarify local scope of xpack.security.audit.index.settings
[DOCS] Clarify scope of xpack.security.audit.index.settings
May 29, 2018
Elasticsearch version v6.2
There have been reports from users who index audit logs to a remote cluster, that the index settings config option should be clarified that it only applies when used locally.
Users have been modifying this setting, expecting it to reflect to the remote cluster's index layout - which isn't the case. The remote index gets created with whatever is dictated by the templates or settings of the remote cluster.
https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#index-audit-settings
Should a note be added that this setting applies locally only?
The text was updated successfully, but these errors were encountered: