| mapped_pages | applies_to | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
::::{important} Audit logs are only available on certain subscription levels. ::::
You can log security-related events such as authentication failures and refused connections to monitor your cluster for suspicious activity (including data access authorization and user security configuration changes). Audit logging can be enabled independently for {{es}} and {{kib}}.
This section describes how to enable and configure audit logging in both {{es}} and {{kib}} for all supported deployment types, including self-managed clusters, {{ech}}, {{ece}} (ECE), and {{eck}} (ECK).
::::{important} In orchestrated deployments, audit logs must be shipped to a monitoring deployment; otherwise, they remain at container level and won't be accessible to users. For details on configuring log forwarding in orchestrated environments, refer to logging configuration. ::::
When audit logging is enabled, security events are persisted to a dedicated <clustername>_audit.json file on the host’s file system, on every cluster node. For more information, refer to {{es}} logfile audit output.
- If you're using ECE or ECH, then you need to enable monitoring and logging on your deployment. As part of enabling monitoring and logging, you choose a location where logs will be delivered.
- In production environments, consider creating a separate monitoring cluster that can consume the logs.
To enable {{es}} or {{kib}} audit logs, configure xpack.security.audit.enabled to true in all {{es}} or {{kib}} nodes, then restart the nodes to apply the changes. For detailed instructions, select your deployment type:
::::{note} Audit logs are disabled by default and must be explicitly enabled. ::::
::::::{tab-set}
:::::{tab-item} Self-managed
To enable audit logging in {{es}}:
- In all nodes, set
xpack.security.audit.enabledtotrueinelasticsearch.yml. - Restart the cluster by following the rolling restart procedure.
To enable audit logging in {{kib}}:
- Set
xpack.security.audit.enabledtotrueinkibana.yml. - Restart {{kib}}.
To learn how to consume these logs in an {{es}} cluster, refer to . :::::
:::::{tab-item} {{ech}}
To enable audit logging in an {{ech}} deployment:
-
Log in to the {{ecloud}} Console.
-
Find your deployment on the home page or on the Hosted deployments page, then select Manage to access its settings menus.
-
From your deployment menu, go to the Edit page.
-
To enable auditing for {{es}}:
- In the Elasticsearch section, select Manage user settings and extensions. For deployments with existing user settings, you may have to expand the Edit elasticsearch.yml caret for each node instead.
- Add the setting
xpack.security.audit.enabled: true.
-
To enable auditing for {{kib}}:
- In the Kibana section, select Edit user settings. For deployments with existing user settings, you may have to expand the Edit kibana.yml caret instead.
- Add the setting
xpack.security.audit.enabled: true.
-
Select Save changes.
A plan change will run on your deployment. When it finishes, audit logs will be delivered to your monitoring deployment. :::::
:::::{tab-item} ECE
To enable audit logging in an ECE deployment:
-
On the Deployments page, select your deployment.
-
From your deployment menu, go to the Edit page.
-
To enable auditing for {{es}}:
- In the Elasticsearch section, select Edit user settings and plugins. For deployments with existing user settings, you may have to expand the Edit elasticsearch.yml caret for the first node instead.
- Add the setting
xpack.security.audit.enabled: true.
-
To enable auditing for {{kib}}:
- In the Kibana section, select Edit user settings. For deployments with existing user settings, you may have to expand the Edit kibana.yml caret instead.
- Add the setting
xpack.security.audit.enabled: true. - If your {{stack}} version is below 7.6.0, add the setting
logging.quiet: false.
-
Select Save.
A plan change will run on your deployment. When it finishes, audit logs will be delivered to your monitoring deployment. :::::
:::::{tab-item} ECK
To enable audit logging in an ECK-managed cluster, add xpack.security.audit.enabled: true to the config section of each {{es}} nodeSet and to the config section of the {{kib}} object's specification.
The following example shows this configuration, along with logs and metrics delivery towards a remote cluster:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
spec:
monitoring:
metrics:
elasticsearchRefs:
- name: monitoring
namespace: observability
logs:
elasticsearchRefs:
- name: monitoring
namespace: observability
nodeSets:
- name: default
config:
xpack.security.audit.enabled: true
---
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
spec:
monitoring:
metrics:
elasticsearchRefs:
- name: monitoring
namespace: observability
logs:
elasticsearchRefs:
- name: monitoring
namespace: observability
config:
xpack.security.audit.enabled: trueWhen enabled, audit logs are collected and shipped to the monitoring cluster referenced in the monitoring.logs section. If monitoring is not enabled, audit logs will only be visible at container level.
:::::
::::::
You can configure additional options to control what events are logged and what information is included in the audit log. For more information, refer to .