Auditing security events

edit

You can enable auditing to keep track of security-related events such as authentication failures and refused connections. Logging these events enables you to monitor your cluster for suspicious activity and provides evidence in the event of an attack.

Audit logs are disabled by default. To enable this functionality, you must set xpack.security.audit.enabled to true in elasticsearch.yml.

The Elasticsearch security features provide two ways to persist audit logs, but only the first one is recommended and the other is deprecated:

  • The logfile output, which persists events to a dedicated <clustername>_audit.log file on the host’s file system. For backwards compatibility reasons, a file named <clustername>_access.log is also generated.
  • The index output, which persists events to an Elasticsearch index. The audit index can reside on the same cluster, or a separate cluster. deprecated::[6.7.0]

By default, only the logfile output is used when enabling auditing, implicitly outputting to both <clustername>_audit.log and <clustername>_access.log. To facilitate browsing and analyzing the events, you can also enable indexing by setting xpack.security.audit.outputs in elasticsearch.yml: [6.7.0] Deprecated in 6.7.0.

xpack.security.audit.outputs: [ index, logfile ]

If you choose to enable the index output type, we strongly recommend that you still use the logfile output as the official record of events. If the target index is unavailable (for example, during a rolling upgrade), the index output can lose messages. This is one reason why this output type has been deprecated.