What is Audit logging in Elasticsearch?

Elasticsearchquery~5 mins

Audit logging in Elasticsearch

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Audit logging helps you keep track of who did what and when in your Elasticsearch system. It is like a security camera that records important actions for safety and review.

You want to see who accessed sensitive data in Elasticsearch.

You need to check if someone changed settings or deleted data.

You want to meet security rules that require tracking user actions.

You want to investigate problems or suspicious activities.

You want to keep a record of system events for future reference.

Syntax

Elasticsearch

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.include: [ authentication_success, authentication_failed, access_granted, access_denied ]

Enable audit logging by setting xpack.security.audit.enabled to true.

Choose where to send audit logs using xpack.security.audit.outputs, like to an index or a log file.

Examples

This example enables audit logging and sends only failed login attempts to a log file.

Elasticsearch

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ logfile ]
xpack.security.audit.logfile.events.include: [ authentication_failed ]

This example sends access granted and denied events to a special Elasticsearch index for searching later.

Elasticsearch

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index ]
xpack.security.audit.index.events.include: [ access_granted, access_denied ]

Sample Program

This configuration turns on audit logging and sends important security events to both a log file and an Elasticsearch index. It tracks successful and failed logins, plus access permissions.

Elasticsearch

xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ index, logfile ]
xpack.security.audit.logfile.events.include: [ authentication_success, authentication_failed, access_granted, access_denied ]
xpack.security.audit.index.events.include: [ authentication_success, authentication_failed, access_granted, access_denied ]

OutputSuccess

Important Notes

Audit logging can generate many logs; monitor disk space to avoid full storage.

Use filters to include only important events and reduce noise.

Audit logs help with security compliance and troubleshooting.

Summary

Audit logging records user actions and security events in Elasticsearch.

Enable it by setting xpack.security.audit.enabled to true.

Choose outputs like log files or Elasticsearch indexes to store audit data.