The documentation for developing the internal audit-lookup policy states that :
We must fill all these variables for the audit appear in the "Policy Manager - Gateway Audit Events" window?
There are 40 fields to be filled.
Which ones are really necessary for the audit entry to appear?
The default audit-lookup policy from the gateway comes empty, is there any sample policy for populating these context variables?
We are not using the audit-sink policy, its empty.
We are storing the audit logs in a syslog server then another process uploads it to an elasticsearch server.
The problem is that we disabled storing audit logs in the internal database so the "Gateway Audit Events" window shows nothing.We are implementing the audit-lookup policy to fetch the audit data from elasticsearch but I'm having the beforementioned problem of not showing anything "via audit lookup policy" option on "Gateway Audit Events" window.
Any help will be appreciated.