What is the main purpose of enabling audit logging in Elasticsearch?
Think about what audit logs are generally used for in security contexts.
Audit logging records security events like user logins, access denials, and configuration changes to help track and investigate security issues.
Which configuration snippet correctly enables audit logging for all events in Elasticsearch?
Look for the setting that enables audit logging and includes all events.
Setting xpack.security.audit.enabled to true turns on audit logging. Including ["*"] means all events are logged.
Given audit logging is enabled, what is the expected key field value in the audit log entry when a user fails to login?
Think about what action describes a failed login attempt.
The audit log records failed login attempts with the action labeled as authentication_failed.
You enabled audit logging in Elasticsearch but no audit logs appear in the log files. Which is the most likely cause?
Consider file permissions and where logs are written.
If Elasticsearch cannot write to the audit log file path due to permissions, no audit logs will appear despite being enabled.
What is a recommended best practice to manage the size and retention of Elasticsearch audit logs in a production environment?
Think about automated ways to keep logs manageable over time.
Using rollover and ILM policies automates audit log management, ensuring logs do not grow indefinitely and comply with retention requirements.