Currently I’m using the audit log in x-pack but I have to suppress all of the access_granted/authentication_success events because they are way to noisy. Is there a way or a future plan for giving some flexibility around this? For instance can I just log authentication_success for the ldap realm and not the native? I’m trying to get a dataset here that lets me know what users have logged in and don’t need the millions of events for Filebeat, Kibana, ES and every other service that create over 4k of events per second.
security: enabled: true audit: enabled: true outputs: [ index ] index: events: exclude: [ access_granted, connection_granted, realm_authentication_failed ]