From 2ec047db04b092b4e988e8a34aa9740c80c2399a Mon Sep 17 00:00:00 2001
From: debadair <debadair@elastic.co>
Date: Wed, 13 Nov 2019 18:30:11 -0800
Subject: [PATCH] [DOCS] Rename auditing topic. Closes #49012 (#49013)

* [DOCS] Rename auditing topic. Closes #49012

* Fixed file name, fixed settings link.

* Add link to settings
---
 docs/reference/redirects.asciidoc             |  6 +++++
 .../settings/audit-settings.asciidoc          |  6 ++---
 .../auditing/enable-audit-logging.asciidoc    | 24 +++++++++++++++++++
 .../en/security/auditing/event-types.asciidoc |  2 +-
 .../docs/en/security/auditing/index.asciidoc  |  2 +-
 .../en/security/auditing/overview.asciidoc    | 17 -------------
 6 files changed, 35 insertions(+), 22 deletions(-)
 create mode 100644 x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc
 delete mode 100644 x-pack/docs/en/security/auditing/overview.asciidoc

diff --git a/docs/reference/redirects.asciidoc b/docs/reference/redirects.asciidoc
index 41de4915f7f..85bd09ccd32 100644
--- a/docs/reference/redirects.asciidoc
+++ b/docs/reference/redirects.asciidoc
@@ -901,9 +901,15 @@ See <<monitoring-overview>>.
 See <<monitor-elasticsearch-cluster>>.
 
 [role="exclude",id="docker-cli-run"]
+=== Docker Run
 
 See <<docker-cli-run-dev-mode>>.
 
+[role="exclude",id="auditing"]
+=== Audit logging
+
+See <<enable-audit-logging>>.
+
 [role="exclude",id="analysis-compound-word-tokenfilter"]
 === Compound word token filters
 
diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc
index 463d6ac5927..b9da9786598 100644
--- a/docs/reference/settings/audit-settings.asciidoc
+++ b/docs/reference/settings/audit-settings.asciidoc
@@ -5,8 +5,8 @@
 <titleabbrev>Auditing settings</titleabbrev>
 ++++
 
-All of these settings can be added to the `elasticsearch.yml` configuration
-file. For more information, see <<auditing>>.
+You configure security auditing settings in the `elasticsearch.yml` configuration file
+on each node in the cluster. For more information, see <<enable-audit-logging>>.
 
 [[general-audit-settings]]
 ==== General Auditing Settings
@@ -14,7 +14,7 @@ file. For more information, see <<auditing>>.
 `xpack.security.audit.enabled`::
 Set to `true` to enable auditing on the node. The default value is `false`.
 This puts the auditing events in a dedicated file named `<clustername>_audit.json`
-on each node. For more information, see <<configuring-logging-levels>>.
+on each node. 
 
 [[event-audit-settings]]
 ==== Audited Event Settings
diff --git a/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc
new file mode 100644
index 00000000000..4764612d65f
--- /dev/null
+++ b/x-pack/docs/en/security/auditing/enable-audit-logging.asciidoc
@@ -0,0 +1,24 @@
+[role="xpack"]
+[[enable-audit-logging]]
+== Enabling audit logging
+
+You can log security-related events such as authentication failures and refused connections
+to monitor your cluster for suspicious activity. 
+Audit logging also provides forensic evidence in the event of an attack.
+
+[IMPORTANT]
+============================================================================
+Audit logs are **disabled** by default. You must explicitly enable audit logging.
+============================================================================
+
+To enable enable audit logging:
+
+. Set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
+. Restart {es}.
+
+When audit logging is enabled, <<audit-event-types, security events>> are persisted to 
+a dedicated `<clustername>_audit.json` file on the host's file system (on each node).
+
+You can configure additional options to control what events are logged and 
+what information is included in the audit log. 
+For more information, see <<auditing-settings>>.
diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc
index dfa0c72b5e2..c63f2908c76 100644
--- a/x-pack/docs/en/security/auditing/event-types.asciidoc
+++ b/x-pack/docs/en/security/auditing/event-types.asciidoc
@@ -2,7 +2,7 @@
 [[audit-event-types]]
 === Audit event types
 
-When you are <<auditing,auditing security events>>, each request can generate
+When you are <<enable-audit-logging,auditing security events>>, each request can generate
 multiple audit events.
 
 The following is a list of the events that can be generated:
diff --git a/x-pack/docs/en/security/auditing/index.asciidoc b/x-pack/docs/en/security/auditing/index.asciidoc
index 8e708efaffc..55886c548b5 100644
--- a/x-pack/docs/en/security/auditing/index.asciidoc
+++ b/x-pack/docs/en/security/auditing/index.asciidoc
@@ -1,4 +1,4 @@
-include::overview.asciidoc[]
+include::enable-audit-logging.asciidoc[]
 
 include::event-types.asciidoc[]
 
diff --git a/x-pack/docs/en/security/auditing/overview.asciidoc b/x-pack/docs/en/security/auditing/overview.asciidoc
deleted file mode 100644
index 51f24c9bcce..00000000000
--- a/x-pack/docs/en/security/auditing/overview.asciidoc
+++ /dev/null
@@ -1,17 +0,0 @@
-[role="xpack"]
-[[auditing]]
-== Auditing security events
-
-You can enable auditing to keep track of security-related events such as
-authentication failures and refused connections. Logging these events enables you
-to monitor your cluster for suspicious activity and provides evidence in the
-event of an attack.
-
-[IMPORTANT]
-============================================================================
-Audit logs are **disabled** by default. To enable this functionality, you
-must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
-============================================================================
-
-The audit log persists events to a dedicated `<clustername>_audit.json` file on
-the host's file system (on each node).