When enabling Search Guard audit logging using Elasticsearch as the data type, is there a way to change the name of the ‘audit_utc_timestamp’ field name to ‘@timestamp’ or perhaps even copy the field so both are populated? The reason I ask due to Kibana, we create index patterns in Kibana of aliases that then contain many other indexes. If the created Search Guard audit index is added to an alias with other security audit related logs then in Kibana only a single field is supported as the timefield.
On Thursday, 22 November 2018 00:17:29 UTC+1, Brian wrote:
When enabling Search Guard audit logging using Elasticsearch as the data type, is there a way to change the name of the ‘audit_utc_timestamp’ field name to ‘@timestamp’ or perhaps even copy the field so both are populated? The reason I ask due to Kibana, we create index patterns in Kibana of aliases that then contain many other indexes. If the created Search Guard audit index is added to an alias with other security audit related logs then in Kibana only a single field is supported as the timefield.