25 lines
1001 B
Plaintext
25 lines
1001 B
Plaintext
|
[role="xpack"]
|
||
|
[[enable-audit-logging]]
|
||
|
== Enabling audit logging
|
||
|
|
||
|
You can log security-related events such as authentication failures and refused connections
|
||
|
to monitor your cluster for suspicious activity.
|
||
|
Audit logging also provides forensic evidence in the event of an attack.
|
||
|
|
||
|
[IMPORTANT]
|
||
|
============================================================================
|
||
|
Audit logs are **disabled** by default. You must explicitly enable audit logging.
|
||
|
============================================================================
|
||
|
|
||
|
To enable enable audit logging:
|
||
|
|
||
|
. Set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
|
||
|
. Restart {es}.
|
||
|
|
||
|
When audit logging is enabled, <<audit-event-types, security events>> are persisted to
|
||
|
a dedicated `<clustername>_audit.json` file on the host's file system (on each node).
|
||
|
|
||
|
You can configure additional options to control what events are logged and
|
||
|
what information is included in the audit log.
|
||
|
For more information, see <<auditing-settings>>.
|