2018-05-23 18:42:51 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[auditing]]
|
|
|
|
== Auditing security events
|
|
|
|
|
|
|
|
You can enable auditing to keep track of security-related events such as
|
|
|
|
authentication failures and refused connections. Logging these events enables you
|
|
|
|
to monitor your cluster for suspicious activity and provides evidence in the
|
|
|
|
event of an attack.
|
|
|
|
|
|
|
|
[IMPORTANT]
|
|
|
|
============================================================================
|
|
|
|
Audit logs are **disabled** by default. To enable this functionality, you
|
|
|
|
must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
|
|
|
|
============================================================================
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
The {es} {security-features} provide two ways to persist audit logs:
|
2018-05-23 18:42:51 -04:00
|
|
|
|
|
|
|
* The <<audit-log-output, `logfile`>> output, which persists events to
|
2018-10-26 08:19:35 -04:00
|
|
|
a dedicated `<clustername>_audit.log` file on the host's file system.
|
|
|
|
For backwards compatibility reasons, a file named `<clustername>_access.log`
|
|
|
|
is also generated.
|
|
|
|
* The <<audit-index, `index`>> output, which persists events to an Elasticsearch
|
|
|
|
index. The audit index can reside on the same cluster, or a separate cluster.
|
2018-05-23 18:42:51 -04:00
|
|
|
|
2018-10-26 08:19:35 -04:00
|
|
|
By default, only the `logfile` output is used when enabling auditing,
|
2019-01-07 08:44:12 -05:00
|
|
|
implicitly outputting to both `<clustername>_audit.log` and `<clustername>_access.log`.
|
2018-05-23 18:42:51 -04:00
|
|
|
To facilitate browsing and analyzing the events, you can also enable
|
|
|
|
indexing by setting `xpack.security.audit.outputs` in `elasticsearch.yml`:
|
|
|
|
|
|
|
|
[source,yaml]
|
|
|
|
----------------------------
|
|
|
|
xpack.security.audit.outputs: [ index, logfile ]
|
|
|
|
----------------------------
|
|
|
|
|
2018-06-07 11:55:14 -04:00
|
|
|
TIP: If you choose to enable the `index` output type, we strongly recommend that
|
|
|
|
you still use the `logfile` output as the official record of events. If the
|
|
|
|
target index is unavailable (for example, during a rolling upgrade), the `index`
|
|
|
|
output can lose messages.
|