Enable auditingedit

With auditing enabled you can keep track of security-related events, such as successful and unsuccessful authorization attempts on the cluster. In Elastic Cloud Enterprise, in order to see audit events for both Elasticsearch and Kibana, you need to enable auditing for each component separately.

To enable auditing for Elasticsearch:

  1. Log into the Cloud UI.
  2. On the Deployments page, select your deployment.

    Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.

  3. From your deployment menu, go to the Edit page.
  4. At the bottom of the first Elasticsearch node, expand the User settings overrides caret.
  5. Add the setting xpack.security.audit.enabled: true.
  6. Click Save.

For more information and other available auditing settings in Elasticsearch, see Auditing security settings.

To enable auditing for Kibana:

  1. Log into the Cloud UI.
  2. On the Deployments page, select your deployment.

    Narrow the list by name, ID, or choose from several other filters. To further define the list, use a combination of filters.

  3. From your deployment menu, go to the Edit page.
  4. At the bottom of the Kibana instance, expand the User settings overrides caret.
  5. Add the setting xpack.security.audit.enabled: true.
  6. If your Elastic Stack version is below 7.6.0, add the setting logging.quiet: false.
  7. Click Save.

For more information about audit logging in Kibana, see Audit Logging.