You can enable auditing to keep track of security-related events such as authentication failures and refused connections. Logging these events enables you to monitor your cluster for suspicious activity and provides evidence in the event of an attack.
Audit logs are disabled by default. To enable this functionality, you
X-Pack security provides two ways to persist audit logs:
logfileoutput, which persists events to a dedicated
<clustername>_audit.logfile on the host’s file system. For backwards compatibility reasons, a file named
<clustername>_access.logis also generated.
indexoutput, which persists events to an Elasticsearch index. The audit index can reside on the same cluster, or a separate cluster.
By default, only the
logfile output is used when enabling auditing,
implicitly outputing to both
To facilitate browsing and analyzing the events, you can also enable
indexing by setting
xpack.security.audit.outputs: [ index, logfile ]
If you choose to enable the
index output type, we strongly recommend that
you still use the
logfile output as the official record of events. If the
target index is unavailable (for example, during a rolling upgrade), the
output can lose messages.