Auditing security events
editAuditing security events
editYou can enable auditing to keep track of security-related events such as authentication failures and refused connections. Logging these events enables you to monitor your cluster for suspicious activity and provides evidence in the event of an attack.
Audit logs are disabled by default. To enable this functionality, you
must set xpack.security.audit.enabled
to true
in elasticsearch.yml
.
X-Pack security provides two ways to persist audit logs:
By default, only the logfile
output is used when enabling auditing.
To facilitate browsing and analyzing the events, you can also enable
indexing by setting xpack.security.audit.outputs
in elasticsearch.yml
:
xpack.security.audit.outputs: [ index, logfile ]
If you choose to enable the index
output type, we strongly recommend that
you still use the logfile
output as the official record of events. If the
target index is unavailable (for example, during a rolling upgrade), the index
output can lose messages.