mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-24 23:27:25 -04:00
255c9a7f95
**Problem:** For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. **Solution:** - Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory - Update doc snippet tests to use security Rel: https://github.com/elastic/platform-docs-team/issues/208
31 lines
1.2 KiB
Text
31 lines
1.2 KiB
Text
[role="xpack"]
|
|
[[enable-audit-logging]]
|
|
== Enable audit logging
|
|
|
|
You can log security-related events such as authentication failures and refused connections
|
|
to monitor your cluster for suspicious activity (including data access authorization and user
|
|
security configuration changes).
|
|
|
|
Audit logging also provides forensic evidence in the event of an attack.
|
|
|
|
[IMPORTANT]
|
|
============================================================================
|
|
Audit logs are **disabled** by default. You must explicitly enable audit logging.
|
|
============================================================================
|
|
--
|
|
TIP: Audit logs are only available on certain subscription levels.
|
|
For more information, see {subscriptions}.
|
|
--
|
|
|
|
To enable audit logging:
|
|
|
|
. Set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
|
|
. Restart {es}.
|
|
|
|
When audit logging is enabled, <<audit-event-types, security events>> are persisted to
|
|
a dedicated `<clustername>_audit.json` file on the host's file system, on every cluster node.
|
|
For more information, see <<audit-log-output>>.
|
|
|
|
You can configure additional options to control what events are logged and
|
|
what information is included in the audit log.
|
|
For more information, see <<auditing-settings>>.
|