honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-07 13:38:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/x-pack/docs/en/security/auditing/overview.asciidoc
Albert Zaharovits 3f1fec1813
[Docs] audit logfile structured format (#34584) 
Documents the new structured logfile format for auditing
that was introduced by #31931. Most changes herein
are for 6.x . In 7.0 the deprecated format is gone and a
follow-up PR is in order.
2018-10-26 15:19:35 +03:00

39 lines
1.7 KiB
Plaintext
Raw Blame History

[role="xpack"]
[[auditing]]
== Auditing security events
You can enable auditing to keep track of security-related events such as
authentication failures and refused connections. Logging these events enables you
to monitor your cluster for suspicious activity and provides evidence in the
event of an attack.
[IMPORTANT]
============================================================================
Audit logs are **disabled** by default. To enable this functionality, you
must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
============================================================================
{Security} provides two ways to persist audit logs:
* The <<audit-log-output, `logfile`>> output, which persists events to
a dedicated `<clustername>_audit.log` file on the host's file system.
For backwards compatibility reasons, a file named `<clustername>_access.log`
is also generated.
* The <<audit-index, `index`>> output, which persists events to an Elasticsearch
index. The audit index can reside on the same cluster, or a separate cluster.
By default, only the `logfile` output is used when enabling auditing,
implicitly outputing to both `<clustername>_audit.log` and `<clustername>_access.log`.
To facilitate browsing and analyzing the events, you can also enable
indexing by setting `xpack.security.audit.outputs` in `elasticsearch.yml`:
[source,yaml]
----------------------------
xpack.security.audit.outputs: [ index, logfile ]
----------------------------
TIP: If you choose to enable the `index` output type, we strongly recommend that
you still use the `logfile` output as the official record of events. If the
target index is unavailable (for example, during a rolling upgrade), the `index`
output can lose messages.
Reference in New Issue View Git Blame Copy Permalink