IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Auditing security events
editAuditing security events
editYou can enable auditing to keep track of security-related events such as authentication failures and refused connections. Logging these events enables you to monitor your cluster for suspicious activity and provides evidence in the event of an attack.
Audit logs are disabled by default. To enable this functionality, you
must set xpack.security.audit.enabled to true in elasticsearch.yml.
The audit log persists events to a dedicated <clustername>_audit.json file on
the host’s file system (on each node).