diff --git a/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
index f300652418e..f21f9ec370c 100644
--- a/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
+++ b/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@@ -287,8 +287,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
 
     @Override
     public void authenticationFailed(String realm, AuthenticationToken token, RestRequest request) {
-        if (events.contains(REALM_AUTHENTICATION_FAILED)
-                && filterPolicyPredicate.test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
+        if (events.contains(REALM_AUTHENTICATION_FAILED) && filterPolicyPredicate
+                .test(new AuditEventMetaInfo(Optional.of(token), Optional.of(realm), Optional.empty())) == false) {
             if (includeRequestBody) {
                 logger.info("{}[rest] [realm_authentication_failed]\trealm=[{}], {}, principal=[{}], uri=[{}], request_body=[{}]",
                         localNodeInfo.prefix, realm, hostAttributes(request), token.principal(), request.uri(),
@@ -514,7 +514,10 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
 
     static Optional<String[]> indices(TransportMessage message) {
         if (message instanceof IndicesRequest) {
-            return Optional.ofNullable(((IndicesRequest) message).indices());
+            final String[] indices = ((IndicesRequest) message).indices();
+            if ((indices != null) && (indices.length != 0)) {
+                return Optional.of(((IndicesRequest) message).indices());
+            }
         }
         return Optional.empty();
     }
@@ -546,7 +549,7 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
      * that will be ignored, aka filtered out, aka not logged. The event can be
      * filtered by the following fields : `user`, `realm`, `role` and `index`.
      * Predicates on each field are ANDed together to form the filter predicate of
-     * the policy.
+     * the policy. 
      */
     private static final class EventFilterPolicy {
         final String name;
diff --git a/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
index adff3943bd8..56efd820357 100644
--- a/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
+++ b/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -48,6 +48,8 @@ import java.util.Map;
 
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.containsString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -703,6 +705,59 @@ public class LoggingAuditTrailTests extends ESTestCase {
         assertEmptyLog(logger);
     }
 
+    public void testRequestsWithoutIndices() throws Exception {
+        final Logger logger = CapturingLogger.newCapturingLogger(Level.INFO);
+        final Settings allEventsSettings = Settings.builder()
+                .put(settings)
+                .put("xpack.security.audit.logfile.events.include", "_all")
+                .build();
+        final LoggingAuditTrail auditTrail = new LoggingAuditTrail(allEventsSettings, clusterService, logger, threadContext);
+        final User user = new User("_username", new String[] { "r1" });
+        final String role = randomAlphaOfLengthBetween(1, 6);
+        final String realm = randomAlphaOfLengthBetween(1, 6);
+        // transport messages without indices
+        final TransportMessage[] messages = new TransportMessage[] { new MockMessage(threadContext),
+                new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), new String[0]),
+                new org.elasticsearch.action.MockIndicesRequest(IndicesOptions.strictExpandOpenAndForbidClosed(), (String[]) null) };
+        final List<String> output = CapturingLogger.output(logger.getName(), Level.INFO);
+        int logEntriesCount = 1;
+        for (final TransportMessage message : messages) {
+            auditTrail.anonymousAccessDenied("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed(new MockToken(), "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationFailed(realm, new MockToken(), "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.accessGranted(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.accessDenied(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.tamperedRequest("_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.tamperedRequest(user, "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.runAsGranted(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.runAsDenied(user, "_action", message, new String[] { role });
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+            auditTrail.authenticationSuccess(realm, user, "_action", message);
+            assertThat(output.size(), is(logEntriesCount++));
+            assertThat(output.get(logEntriesCount - 2), not(containsString("indices=[")));
+        }
+    }
+
     private void assertMsg(Logger logger, Level level, String message) {
         final List<String> output = CapturingLogger.output(logger.getName(), level);
         assertThat(output.size(), is(1));