[role="xpack"] [[forwarding-audit-logfiles]] === Forwarding audit logs to a remote cluster When you are auditing security events, you can optionally store the logs in an {es} index on a remote cluster. The logs are sent to the remote cluster by using the {javaclient}/transport-client.html[transport client]. . Configure auditing such that the logs are stored in {es} rolling indices. See <>. . Establish a connection to the remote cluster by configuring the following `xpack.security.audit.index.client` settings: + -- [source, yaml] -------------------------------------------------- xpack.security.audit.index.client.hosts: 192.168.0.1, 192.168.0.2 <1> xpack.security.audit.index.client.cluster.name: logging-prod <2> xpack.security.audit.index.client.xpack.security.user: myuser:mypassword <3> -------------------------------------------------- <1> A list of hosts in the remote cluster. If you are not using the default value for the `transport.port` setting on the remote cluster, you must specify the appropriate port number (prefixed by a colon) after each host. <2> The remote cluster name. <3> A valid user and password, which must have authority to create the `.security-audit` index on the remote cluster. For more information about these settings, see {ref}/auditing-settings.html#remote-audit-settings[Remote audit log indexing configuration settings]. -- . If the remote cluster has Transport Layer Security (TLS/SSL) enabled, you must specify extra security settings: .. {ref}/configuring-tls.html#node-certificates[Generate a node certificate on the remote cluster], then copy that certificate to the client. .. Enable TLS and specify the information required to access the node certificate. *** If the signed certificate is in PKCS#12 format, add the following information to the `elasticsearch.yml` file: + -- [source,yaml] ----------------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.ssl.keystore.path: certs/remote-elastic-certificates.p12 xpack.security.audit.index.client.xpack.ssl.truststore.path: certs/remote-elastic-certificates.p12 ----------------------------------------------------------- For more information about these settings, see {ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings]. -- *** If the certificate is in PEM format, add the following information to the `elasticsearch.yml` file: + -- [source, yaml] -------------------------------------------------- xpack.security.audit.index.client.xpack.security.transport.ssl.enabled: true xpack.security.audit.index.client.xpack.ssl.key: /home/es/config/audit-client.key xpack.security.audit.index.client.xpack.ssl.certificate: /home/es/config/audit-client.crt xpack.security.audit.index.client.xpack.ssl.certificate_authorities: [ "/home/es/config/remote-ca.crt" ] -------------------------------------------------- For more information about these settings, see {ref}/security-settings.html#auditing-tls-ssl-settings[Auditing TLS settings]. -- .. If you secured the certificate with a password, add the password to your {es} keystore: *** If the signed certificate is in PKCS#12 format, use the following commands: + -- [source,shell] ----------------------------------------------------------- bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.keystore.secure_password bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.truststore.secure_password ----------------------------------------------------------- -- *** If the certificate is in PEM format, use the following commands: + -- [source,shell] ----------------------------------------------------------- bin/elasticsearch-keystore add xpack.security.audit.index.client.xpack.ssl.secure_key_passphrase ----------------------------------------------------------- -- . Restart {es}. When these steps are complete, your audit logs are stored in {es} rolling indices on the remote cluster.