Enable Auditing

When you enable auditing, Shield stores a record of attempted and successful interactions with your Elasticsearch cluster. You can use this information to keep track of who is doing what to your cluster and identify potential security issues.

To enable auditing, add the following setting to elasticsearch.yml:

shield.audit.enabled: true

By default, events are logged to a dedicated elasticsearch-access.log file in ES_HOME/logs. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged. For more information, see Configuring Auditing.