18 lines
744 B
Plaintext
18 lines
744 B
Plaintext
[role="xpack"]
|
|
[[auditing]]
|
|
== Auditing security events
|
|
|
|
You can enable auditing to keep track of security-related events such as
|
|
authentication failures and refused connections. Logging these events enables you
|
|
to monitor your cluster for suspicious activity and provides evidence in the
|
|
event of an attack.
|
|
|
|
[IMPORTANT]
|
|
============================================================================
|
|
Audit logs are **disabled** by default. To enable this functionality, you
|
|
must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
|
|
============================================================================
|
|
|
|
The audit log persists events to a dedicated `<clustername>_audit.json` file on
|
|
the host's file system (on each node).
|