diff --git a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc index 01ed0f72e746d..0b79af593b6ea 100644 --- a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc +++ b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc @@ -1,24 +1,99 @@ [role="xpack"] -[float] [[forwarding-audit-logfiles]] -==== Forwarding audit logs to a remote cluster +=== Forwarding audit logs to a remote cluster -To index audit events to a remote Elasticsearch cluster, you configure -the following `xpack.security.audit.index.client` settings: +When you are auditing security events, you can optionally store the logs in an +{es} index on a remote cluster. The logs are sent to the remote cluster by +using the {javaclient}/transport-client.html[transport client]. -* `xpack.security.audit.index.client.hosts` -* `xpack.security.audit.index.client.cluster.name` -* `xpack.security.audit.index.client.xpack.security.user` +. Configure auditing such that the logs are stored in {es} rolling indices. +See <>. + +. Establish a connection to the remote cluster by configuring the following +`xpack.security.audit.index.client` settings: ++ +-- +[source, yaml] +-------------------------------------------------- +xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1> +xpack.security.audit.index.client.cluster.name: logging-prod <2> +xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3> +-------------------------------------------------- +<1> A list of hosts in the remote cluster. If you are not using the default +value for the `transport.tcp.port` setting on the remote cluster, you must +specify the appropriate port number (prefixed by a colon) after each host. +<2> The remote cluster name. +<3> A valid user and password, which must have authority to create the +`.security-audit` index on the remote cluster. For more information about these settings, see -{ref}/auditing-settings.html#remote-audit-settings[Remote Audit Log Indexing Configuration Settings]. +{ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings]. + +-- + +. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you +must specify extra security settings: -You can pass additional settings to the remote client by specifying them in the -`xpack.security.audit.index.client` namespace. For example, to allow the remote -client to discover all of the nodes in the remote cluster you can specify the -`client.transport.sniff` setting: +.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on +the remote cluster], then copy that certificate to the client. +.. Enable TLS and specify the information required to access the node certificate. + +*** If the signed certificate is in PKCS#12 format, add the following information +to the `elasticsearch.yml` file: ++ +-- [source,yaml] ----------------------------- -xpack.security.audit.index.client.transport.sniff: true ----------------------------- +----------------------------------------------------------- +xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true +xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 +xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12 +----------------------------------------------------------- + +For more information about these settings, see +{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings]. +-- + +*** If the certificate is in PEM format, add the following information to the +`elasticsearch.yml` file: ++ +-- +[source, yaml] +-------------------------------------------------- +xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true +xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key +xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt +xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] +-------------------------------------------------- + +For more information about these settings, see +{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings]. +-- + +.. If you secured the certificate with a password, add the password to +your {es} keystore: + +*** If the signed certificate is in PKCS#12 format, use the following commands: ++ +-- +[source,shell] +----------------------------------------------------------- +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password + +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password +----------------------------------------------------------- +-- + +*** If the certificate is in PEM format, use the following commands: ++ +-- +[source,shell] +----------------------------------------------------------- +bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase +----------------------------------------------------------- +-- + +. Restart {es}. + +When these steps are complete, your audit logs are stored in {es} rolling +indices on the remote cluster. \ No newline at end of file diff --git a/x-pack/docs/en/settings/audit-settings.asciidoc b/x-pack/docs/en/settings/audit-settings.asciidoc index 6274fae790b8c..1e477083c903b 100644 --- a/x-pack/docs/en/settings/audit-settings.asciidoc +++ b/x-pack/docs/en/settings/audit-settings.asciidoc @@ -130,10 +130,23 @@ Specifies the name of the remote cluster. `xpack.security.audit.index.client.xpack.security.user`:: Specifies the `username:password` pair that is used to authenticate with the -remote cluster. +remote cluster. This user must have authority to create the `.security-audit` +index on the remote cluster. + +If the remote {es} cluster has Transport Layer Security (TLS/SSL) enabled, you +must set the following setting to `true`: + +`xpack.security.audit.index.client.xpack.security.transport.ssl.enabled`:: +Used to enable or disable TLS/SSL for the transport client that forwards audit +logs to the remote cluster. The default is `false`. + +You must also specify the information necessary to access certificates. See +<>. You can pass additional settings to the remote client by specifying them in the -`xpack.security.audit.index.client` namespace. For example, to allow the remote +`xpack.security.audit.index.client` namespace. For example, you can add +<> and +<> in that namespace. To allow the remote client to discover all of the nodes in the remote cluster you can specify the `client.transport.sniff` setting: diff --git a/x-pack/docs/en/settings/security-settings.asciidoc b/x-pack/docs/en/settings/security-settings.asciidoc index 4e9d85f1900ae..587cbb7941755 100644 --- a/x-pack/docs/en/settings/security-settings.asciidoc +++ b/x-pack/docs/en/settings/security-settings.asciidoc @@ -1257,6 +1257,16 @@ transport profile, use the prefix `transport.profiles.$PROFILE.xpack.security.` append the portion of the setting after `xpack.security.transport.`. For the key setting, this would be `transport.profiles.$PROFILE.xpack.security.ssl.key`. +[[auditing-tls-ssl-settings]] +:ssl-prefix: xpack.security.audit.index.client.xpack +:component: Auditing +:client-auth-default!: +:server!: + +include::ssl-settings.asciidoc[] + +See also <>. + [float] [[ip-filtering-settings]] ==== IP filtering settings diff --git a/x-pack/docs/en/settings/ssl-settings.asciidoc b/x-pack/docs/en/settings/ssl-settings.asciidoc index 655dfb74a6498..12729abf4abdc 100644 --- a/x-pack/docs/en/settings/ssl-settings.asciidoc +++ b/x-pack/docs/en/settings/ssl-settings.asciidoc @@ -46,7 +46,6 @@ Java Cryptography Architecture documentation]. Defaults to the value of The following settings are used to specify a private key, certificate, and the trusted certificates that should be used when communicating over an SSL/TLS connection. -If none of the settings below are specified, the {ref}/security-settings.html#ssl-tls-settings[Default TLS/SSL Settings] are used. ifdef::server[] A private key and certificate must be configured. endif::server[]