opensearch-project · Naarcha-AWS · Sep 6, 2024 · Sep 3, 2024 · Sep 5, 2024 · Sep 5, 2024
@@ -224,3 +224,35 @@ plugins.security.audit.config.threadpool.max_queue_len: 100000
 
 To disable audit logs after they've been enabled, remove the `plugins.security.audit.type: internal_opensearch` setting from `opensearch.yml`, or switch off the **Enable audit logging** check box in OpenSearch Dashboards.
 
+## Audit user account manipulation
+
+To enable user account creation/removal audit use similar `audit.yml`:
+```
+_meta:
+  type: "audit"
+  config_version: 2
+
+config:
+  # enable/disable audit logging
+  enabled: true
+
+  ...
+
+
+  compliance:
+    # enable/disable compliance
+    enabled: true
+
+    # Log updates to internal security changes
+    internal_config: true
+
+    # Log only metadata of the document for write events
+    write_metadata_only: false
+
+    # Log only diffs for document updates
+    write_log_diffs: true
+
+    # List of indices to watch for write events. Wildcard patterns are supported
+    # write_watched_indices: ["twitter", "logs-*"]
+    write_watched_indices: [".opendistro_security"]
+```