[DOCS] Expanded instructions for forwarding audit logs

elastic · May 28, 2018 · 1f13328 · 1f13328
1 parent c6e5b8d
commit 1f13328
Show file tree

Hide file tree

Showing 2 changed files with 93 additions and 12 deletions.
diff --git a/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc b/x-pack/docs/en/security/auditing/forwarding-logs.asciidoc
@@ -2,19 +2,98 @@
 [[forwarding-audit-logfiles]]
 === Forwarding audit logs to a remote cluster
 
-When you are <<auditing,auditing security events>>, you can optionally forward 
-the audit logs to a remote cluster. 
+When you are auditing security events, you can optionally store the logs in an 
+{es} index on a remote cluster.  The logs are sent to the remote cluster by 
+using the {javaclient}/transport-client.html[transport client]. 
 
-The logs are sent to the remote cluster by using the 
-{javaclient}/transport-client.html[transport client]. To establish the 
-connection from the transport client to the remote cluster, configure the following `xpack.security.audit.index.client` settings:
+. Configure auditing such that the logs are stored in {es} rolling indices. 
+See <<audit-index>>. 
 
-* `xpack.security.audit.index.client.hosts`
-* `xpack.security.audit.index.client.cluster.name`
-* `xpack.security.audit.index.client.xpack.security.user`
-
-NOTE: If the remote {es} cluster has Transport Layer Security (TLS/SSL) enabled, you 
-must specify extra settings. 
+. Establish a connection to the remote cluster by configuring the following 
+`xpack.security.audit.index.client` settings: 
++
+--
+[source, yaml]
+--------------------------------------------------
+xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1> 
+xpack.security.audit.index.client.cluster.name: logging-prod <2>
+xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3>
+--------------------------------------------------
+<1> A list of hosts in the remote cluster. If you are not using the default 
+value for the `transport.tcp.port` setting on the remote cluster, you must 
+specify the appropriate port number (prefixed by a colon) after each host. 
+<2> The remote cluster name.
+<3> A valid user and password, which must have authority to create the 
+`.security-audit` index on the remote cluster. 
+//TBD: Is there a secure version of this setting, so that password is hidden in the keystore?
 
 For more information about these settings, see
 {ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings].
+
+--
+
+. If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you 
+must specify extra security settings. 
+
+.. {ref}/configuring-tls.html#node-certificates[Generate a node certificate].
+
+.. Enable TLS and specify the information required to access the node certificate.
+
+*** If the signed certificate is in PKCS#12 format, add the following information 
+to the `elasticsearch.yml` file:
++
+--
+[source,yaml]
+-----------------------------------------------------------
+xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
+xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/elastic-certificates.p12 
+xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/elastic-certificates.p12
+-----------------------------------------------------------
+
+For more information about these settings, see 
+{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].
+--
+
+*** If the certificate is in PEM format, add the following information to the
+`elasticsearch.yml` file:
++
+--
+[source, yaml]
+--------------------------------------------------
+xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true
+xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/node01.key 
+xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/node01.crt 
+xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] 
+--------------------------------------------------
+
+For more information about these settings, see 
+{ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings].    
+--
+
+.. If you secured the certificate with a password, add the password to
+your {es} keystore:
+
+*** If the signed certificate is in PKCS#12 format, use the following commands:
++
+--
+[source,shell]
+-----------------------------------------------------------
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password
+
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password
+-----------------------------------------------------------
+--
+
+*** If the certificate is in PEM format, use the following commands:
++
+--
+[source,shell]
+-----------------------------------------------------------
+bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase
+-----------------------------------------------------------
+--
+
+//TBD: Is this required?: . Restart {es}.
+
+When these steps are complete, your audit logs are stored in {es} rolling 
+indices on the remote cluster. 
diff --git a/x-pack/docs/en/settings/audit-settings.asciidoc b/x-pack/docs/en/settings/audit-settings.asciidoc
@@ -144,7 +144,9 @@ You must also specify the information necessary to access certificates. See
 <<auditing-tls-ssl-settings>>. 
 
 You can pass additional settings to the remote client by specifying them in the
-`xpack.security.audit.index.client` namespace. For example, to allow the remote
+`xpack.security.audit.index.client` namespace. For example, you can add 
+<<modules-transport,transport settings>> and 
+<<tcp-settings,advanced TCP settings>> in that namespace. To allow the remote
 client to discover all of the nodes in the remote cluster you can specify the
 `client.transport.sniff` setting: