Elasticsearchquery~30 mins

Audit logging in Elasticsearch - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Audit Logging Setup in Elasticsearch

📖 Scenario: You are a system administrator responsible for securing an Elasticsearch cluster. To track all user actions for security and compliance, you need to enable audit logging. Audit logs will record who accessed the system and what actions they performed.

🎯 Goal: Enable audit logging in Elasticsearch by creating the initial configuration, setting the audit log outputs, and verifying that audit logs are generated correctly.

📋 What You'll Learn

Create the initial audit logging configuration in elasticsearch.yml

Add a setting to specify the audit log output file path

Enable audit logging for authentication and access events

Verify audit logs are generated by checking the log output

💡 Why This Matters

🌍 Real World

Audit logging helps organizations track user actions and detect unauthorized access in Elasticsearch clusters.

💼 Career

Security engineers and DevOps professionals use audit logging to meet compliance requirements and improve system security.

Progress0 / 4 steps

Create initial audit logging configuration

In the elasticsearch.yml file, add the setting xpack.security.audit.enabled: true to enable audit logging.

Elasticsearch

# Add the setting to enable audit logging
# Your code here

Need a hint?

This setting turns on audit logging in Elasticsearch.

Configure audit log output file

In the elasticsearch.yml file, add the setting xpack.security.audit.outputs: ["logfile"] to specify audit logs should be written to a log file.

Elasticsearch

# Add the setting to specify audit log output
# Your code here

Need a hint?

This setting tells Elasticsearch to write audit logs to the log file.

Enable audit logging for authentication and access events

In the elasticsearch.yml file, add the setting xpack.security.audit.logfile.events.include: ["authentication_success", "access_granted"] to log successful authentication and access events.

Elasticsearch

# Add the setting to include authentication and access events in audit logs
# Your code here

Need a hint?

This setting ensures audit logs capture important security events.

Verify audit logs are generated

Run the command tail -n 5 /var/log/elasticsearch/elasticsearch_audit.log to display the last 5 lines of the audit log file and verify audit logs are being recorded.

Elasticsearch

# Run the command to check audit logs
# Your code here

Need a hint?

This command shows recent audit log entries. You should see entries related to authentication and access.