Elastic
Loading

Configure audit logging

ECE ECK Elastic Cloud Hosted Self Managed Serverless Unavailable

When auditing security events, a single client request might generate multiple audit events across multiple cluster nodes, potentially leading to a high volume of log data and I/O operations. To maintain clarity and ensure logs remain actionable, Elasticsearch and Kibana provide configuration mechanisms to control what events are logged and which can be ignored.

Elasticsearch configuration options include:

  • Elasticsearch audited events settings: Use include and exclude filters to control the types of events that get logged.

  • Elasticsearch node information settings: Control whether to add or hide node information such as hostname or IP address in the audited events.

  • Elasticsearch ignore policies settings: Use ignore policies for fine-grained control over which audit events are printed to the log file.

    Tip

    In Elasticsearch, all auditing settings except xpack.security.audit.enabled are dynamic. This means you can configure them using the cluster update settings API, allowing changes to take effect immediately without requiring a restart. This approach is faster and more convenient than modifying elasticsearch.yml.

For a complete description of event details and format, refer to the following resources:

To control the logs that are outputted by Kibana, you can use Kibana ignore filters. These are a list of filters that determine which events should be excluded from the audit log.

In self-managed systems, you can optionally configure audit logs location, and file/rolling file using Kibana audit logging settings.

Tip

To configure Kibana settings, follow the same procedure as when enabling Kibana audit logs, but apply the relevant settings instead.

For a complete description of auditing event details, such as category, type, or action, refer to Kibana audit events.

  • Consider starting with Elasticsearch xpack.security.audit.logfile.events.include and Kibana ignore filters settings to specify the type of events you want to include or exclude in the auditing output.

  • If you need a more granular control, refer to Elasticsearch audit events ignore policies for a better understanding how ignore policies work and when they are beneficial.

  • Refer to auditing search queries for details on logging request bodies in the Elasticsearch audit logs.

    Important

    Sensitive data may be audited in plain text when including the request body in audit events, even though all the security APIs, such as those that change the user’s password, have the credentials filtered out when audited.