user accounts manipulation audit example (opensearch-project#8158)

* user accounts manipulation audit example Signed-off-by: jazzl0ver <jazzl0ver@users.noreply.github.com> * user accounts manipulation audit example Signed-off-by: jazzl0ver <jazzl0ver@users.noreply.github.com> * user accounts manipulation audit example Signed-off-by: jazzl0ver <jazzl0ver@users.noreply.github.com> * Update _security/audit-logs/index.md Co-authored-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: jazzl0ver <jazzl0ver@users.noreply.github.com> * Update _security/audit-logs/index.md Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: jazzl0ver <jazzl0ver@users.noreply.github.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Craig Perkins <craig5008@gmail.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com>
ashking94 · Sep 6, 2024 · 62a4c18 · 62a4c18
1 parent ad0d76e
commit 62a4c18
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/_security/audit-logs/index.md b/_security/audit-logs/index.md
@@ -224,3 +224,36 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000
 
 To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards.
 
+## Audit user account manipulation
+
+To enable audit logging on changes to a security index, such as changes to roles mappings and role creation or deletion, use the following settings in the `compliance:` portion of the audit log configuration, as shown in the following example:
+
+```
+_meta:
+  type: "audit"
+  config_version: 2
+
+config:
+  # enable/disable audit logging
+  enabled: true
+
+  ...
+
+
+  compliance:
+    # enable/disable compliance
+    enabled: true
+
+    # Log updates to internal security changes
+    internal_config: true
+
+    # Log only metadata of the document for write events
+    write_metadata_only: false
+
+    # Log only diffs for document updates
+    write_log_diffs: true
+
+    # List of indices to watch for write events. Wildcard patterns are supported
+    # write_watched_indices: ["twitter", "logs-*"]
+    write_watched_indices: [".opendistro_security"]
+```