Clarify emit_request_body description for successfully authenticated requests #29912
Description
Original comment by @ppf2:
https://www.elastic.co/guide/en/x-pack/current/auditing.html is a multi-page document, if the user reads carefully, they will notice that emit_request_body really only works on 4 different event types:
- rest/anonymous_access_denied
- rest/authentication_success
- rest/authentication_failed
- rest/realm_authentication_failed
It's a fairly common use case for folks using emit_request_body to look at the request body for requests that are actually successful (eg. customer wanting to see what specific change a user made in their settings, or what specific queries they ran even though it is a request that has authenticated successfully).
By default, auditing does not include authentication_success as a default event type, so this is something the end user will have to explicitly add to the events.include setting in order to see the request body for these requests.
To clarify this, I will suggest changing the current description of the emit_request_body setting from:
Include or exclude the request body from REST requests on certain event types such as authentication_failed.
To:
Include or exclude the request body from REST requests on certain event types. By default, only anonymous_access_denied and authentication_failed event types will emit request bodies. To audit request bodies for successfully authenticated requests, add authentication_success to xpack.security.audit.<audit_log_type>.events.include