IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Enabling audit logging
editEnabling audit logging
editYou can log security-related events such as authentication failures and refused connections to monitor your cluster for suspicious activity. Audit logging also provides forensic evidence in the event of an attack.
Audit logs are disabled by default. You must explicitly enable audit logging.
To enable enable audit logging:
-
Set
xpack.security.audit.enabled
totrue
inelasticsearch.yml
. - Restart Elasticsearch.
When audit logging is enabled, security events are persisted to
a dedicated <clustername>_audit.json
file on the host’s file system (on each node).
You can configure additional options to control what events are logged and what information is included in the audit log. For more information, see Auditing settings.