Data Stream support for Audit- Log (opensearch-project#8356)

tmanninger · Naarcha-AWS · natebower · web-flow · commit 31d62d58b01d · 2024-10-29T14:32:59.000-05:00
* Opensearch Data Stream auditlog

Signed-off-by: tmanninger &lt;t.manninger@ixolit.com&gt;

* Opensearch Data Stream auditlog

Signed-off-by: tmanninger &lt;t.manninger@ixolit.com&gt;

* Opensearch Data Stream auditlog

Signed-off-by: tmanninger &lt;t.manninger@ixolit.com&gt;

* Change shards default value

Signed-off-by: tmanninger &lt;t.manninger@ixolit.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

* Apply suggestions from code review

Signed-off-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;

* Update _security/audit-logs/storage-types.md

Co-authored-by: Nathan Bower &lt;nbower@amazon.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;

---------

Signed-off-by: tmanninger &lt;t.manninger@ixolit.com&gt;
Signed-off-by: tmanninger &lt;47749648+tmanninger@users.noreply.github.com&gt;
Signed-off-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Co-authored-by: Naarcha-AWS &lt;97990722+Naarcha-AWS@users.noreply.github.com&gt;
Co-authored-by: Nathan Bower &lt;nbower@amazon.com&gt;
diff --git a/_security/audit-logs/storage-types.md b/_security/audit-logs/storage-types.md
@@ -16,17 +16,37 @@ Setting | Description
 :--- | :---
 debug | Outputs to stdout. Useful for testing and debugging.
 internal_opensearch | Writes to an audit index on the current OpenSearch cluster.
+internal_opensearch_data_stream | Writes to an audit log data stream on the current OpenSearch cluster.
 external_opensearch | Writes to an audit index on a remote OpenSearch cluster.
 webhook | Sends events to an arbitrary HTTP endpoint.
 log4j | Writes the events to a Log4j logger. You can use any Log4j [appender](https://logging.apache.org/log4j/2.x/manual/appenders.html), such as SNMP, JDBC, Cassandra, and Kafka.
 
 You configure the output location in `opensearch.yml`:
 
 ```
-plugins.security.audit.type: <debug|internal_opensearch|external_opensearch|webhook|log4j>
+plugins.security.audit.type: <debug|internal_opensearch|internal_opensearch_data_stream|external_opensearch|webhook|log4j>
 ```
 
-`external_opensearch`, `webhook`, and `log4j` all have additional configuration options. Details follow.
+`internal_opensearch_data_stream`, `external_opensearch`, `webhook`, and `log4j` can be customized with additional configuration options. For more information, see [Internal OpenSearch data streams](#internal-opensearch-data-streams).
+
+
+## Internal OpenSearch data streams
+
+You can configure the `internal_opensearch_data_stream` type with the following parameters.
+
+
+Name | Data type | Description
+:--- | :--- | :---
+`plugins.security.audit.config.data_stream.name` | String | The name of the audit log data stream. Default is `opensearch-security-auditlog`.
+
+### Template settings
+
+Name | Data type | Description
+:--- | :--- | :---
+`plugins.security.audit.config.data_stream.template.manage` | Boolean | When `true`, the template for the data stream is managed by OpenSearch. Default is `true`.
+`plugins.security.audit.config.data_stream.template.name` | String | The name of the data stream template. Default is `opensearch-security-auditlog`.
+`plugins.security.audit.config.data_stream.template.number_of_replicas` | Integer | The number of replicas for the data stream. Default is `0`.
+`plugins.security.audit.config.data_stream.template.number_of_shards` | Integer | The number of shards for the data stream. Default is `1`.
 
 
 ## External OpenSearch
