Audit log storage types

You configure the output location in :

external_opensearch, webhook, and log4j all have additional configuration options. Details follow.

The security plugin uses the OpenSearch REST API to send events, just like any other indexing request. For plugins.security.audit.config.http_endpoints, use a comma-separated list of hosts/IP addresses and the REST port (default 9200).

If you use external_opensearch and the remote cluster also uses the security plugin, you must supply some additional parameters for authentication. These parameters depend on which authentication type you configured for the remote cluster.

Use the following keys to configure the webhook storage type.

The log4j storage type lets you specify the name of the logger and log level.