from the official Elastic Search Documentation I see that:
When audit logging is enabled, security events are persisted to a dedicated _audit.json file on the host’s file system, on every cluster node.
I'm trying to find a way, if possible, to configure Elastic Search in a way to store Elastic Search audit logs on a different kind of storage. Can you help me, please ?
P.S. Are Audit logs customizable ? I mean, are the events customizable in a way that custom information are included in the logs ?
Thanks
if possible, to configure Elastic Search in a way to store audit logs on a different kind of storage
If you are looking for temper evidence or temper resistance the elasticsearch team's recommendation is to use log shippers to send the events to another system with desired characteristics.
are the events customizable in a way that custom information are included in the logs ?
They are only customizable in terms of which events you want to exclude and if you want to include the event bodies. This is done through settings You can also control the logging format in log4j2.properties files.
Not really sure which custom information you are trying to log, but one way to associate custom data with your queries is by stashing it in X-Opaque-Id HTTP header of your query. It is logged in the audit logs by default.