What is Audit logging in Elasticsearch?

Audit logging helps you keep track of who did what and when in your Elasticsearch system. It is like a security camera that records important actions for safety and review.

Audit logging in Elasticsearch - Syntax, Examples & Explanation

Practice

(1/5)

1. What is the main purpose of audit logging in Elasticsearch?

easy

A. To record user actions and security events

B. To improve search speed

C. To backup data automatically

D. To monitor cluster health

Solution

Step 1: Understand audit logging function
Audit logging tracks what users do and records security-related events.
Step 2: Compare with other options
Improving search speed, backing up data, or monitoring cluster health are different Elasticsearch features.
Final Answer:
To record user actions and security events -> Option A
Quick Check:
Audit logging = record user actions [OK]

Hint: Audit logging tracks user and security events only [OK]

Common Mistakes:

Confusing audit logging with backup or monitoring
Thinking it speeds up search queries
Assuming it manages cluster health

2. Which setting enables audit logging in Elasticsearch's configuration file?

easy

A. security.audit.log: on

B. xpack.security.audit.enabled: true

C. audit.logging.enabled: yes

D. xpack.audit.security: enabled

Solution

Step 1: Identify correct setting syntax
The official setting to enable audit logging is xpack.security.audit.enabled set to true.
Step 2: Check other options for correctness
Other options use incorrect keys or values not recognized by Elasticsearch.
Final Answer:
xpack.security.audit.enabled: true -> Option B
Quick Check:
Enable audit logging = xpack.security.audit.enabled true [OK]

Hint: Look for 'xpack.security.audit.enabled' set to true [OK]

Common Mistakes:

Using incorrect key names
Using 'yes' or 'on' instead of true
Mixing audit and security keys

3. Given this audit logging config snippet:

 xpack.security.audit.enabled: true
 xpack.security.audit.outputs: ["logfile", "index"]

What does this configuration do?

medium

A. Enables audit logging and sends data to log files and Elasticsearch index

B. Disables audit logging but logs to file

C. Enables audit logging but only logs to console

D. Enables audit logging but stores data only in memory

Solution

Step 1: Analyze 'enabled' setting
Setting xpack.security.audit.enabled: true turns audit logging on.
Step 2: Analyze 'outputs' setting
Outputs set to ["logfile", "index"] means audit data is saved to log files and Elasticsearch indexes.
Final Answer:
Enables audit logging and sends data to log files and Elasticsearch index -> Option A
Quick Check:
Enabled + logfile and index outputs = Enables audit logging and sends data to log files and Elasticsearch index [OK]

Hint: Enabled true + outputs list means multiple destinations [OK]

Common Mistakes:

Assuming logging is disabled
Thinking output is only console
Ignoring multiple output destinations

4. You enabled audit logging with xpack.security.audit.enabled: true but see no audit logs. What is a likely cause?

medium

A. User permissions prevent audit logging

B. Elasticsearch cluster is offline

C. Audit logging requires a restart of Kibana

D. Audit outputs are not configured, so logs have no destination

Solution

Step 1: Check audit logging enablement
Audit logging is enabled, so it should produce logs if outputs are set.
Step 2: Verify output configuration
If xpack.security.audit.outputs is missing or empty, logs have nowhere to go, so no logs appear.
Final Answer:
Audit outputs are not configured, so logs have no destination -> Option D
Quick Check:
Enabled but no outputs = no logs [OK]

Hint: Check audit outputs setting if no logs appear [OK]

Common Mistakes:

Assuming cluster offline without checking
Restarting Kibana instead of Elasticsearch
Blaming user permissions without audit config check

5. You want to audit only authentication events and store them in a dedicated Elasticsearch index. Which configuration snippet achieves this?

hard

A. xpack.security.audit.enabled: true xpack.security.audit.outputs: ["index", "logfile"] xpack.security.audit.categories: ["access_denied"]

B. xpack.security.audit.enabled: true xpack.security.audit.outputs: ["logfile"] xpack.security.audit.categories: ["access_granted"]

C. xpack.security.audit.enabled: true xpack.security.audit.outputs: ["index"] xpack.security.audit.categories: ["authentication"]

D. xpack.security.audit.enabled: false xpack.security.audit.outputs: ["index"] xpack.security.audit.categories: ["authentication"]

Solution

Step 1: Enable audit logging
Set xpack.security.audit.enabled: true to turn on audit logging.
Step 2: Set output to Elasticsearch index only
Use xpack.security.audit.outputs: ["index"] to store logs in an index.
Step 3: Filter to authentication events
Set xpack.security.audit.categories: ["authentication"] to audit only authentication events.
Final Answer:
Enable audit, output to index, filter authentication events -> Option C
Quick Check:
Enable + index output + authentication category = xpack.security.audit.enabled: true xpack.security.audit.outputs: ["index"] xpack.security.audit.categories: ["authentication"] [OK]

Hint: Enable true + output index + category authentication [OK]

Common Mistakes:

Disabling audit logging by mistake
Choosing wrong categories like access_granted
Using logfile output instead of index only

Start learning this pattern below

Practice

Solution

Step 1: Understand audit logging function

Step 2: Compare with other options

Final Answer:

Quick Check:

Solution

Step 1: Identify correct setting syntax

Step 2: Check other options for correctness

Final Answer:

Quick Check:

Solution

Step 1: Analyze 'enabled' setting

Step 2: Analyze 'outputs' setting

Final Answer:

Quick Check:

Solution

Step 1: Check audit logging enablement

Step 2: Verify output configuration

Final Answer:

Quick Check:

Solution

Step 1: Enable audit logging

Step 2: Set output to Elasticsearch index only

Step 3: Filter to authentication events

Final Answer:

Quick Check: