OpenSearch/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc

25 lines
1001 B
Plaintext
Raw Normal View History

[role="xpack"]
[[enable-audit-logging]]
== Enabling audit logging
You can log security-related events such as authentication failures and refused connections
to monitor your cluster for suspicious activity.
Audit logging also provides forensic evidence in the event of an attack.
[IMPORTANT]
============================================================================
Audit logs are **disabled** by default. You must explicitly enable audit logging.
============================================================================
To enable enable audit logging:
. Set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
. Restart {es}.
When audit logging is enabled, <<audit-event-types, security events>> are persisted to
a dedicated `<clustername>_audit.json` file on the host's file system (on each node).
You can configure additional options to control what events are logged and
what information is included in the audit log.
For more information, see <<auditing-settings>>.