原英文版地址: https://www.elastic.co/guide/en/elasticsearch/reference/7.7/enable-audit-logging.html, 原文档版权归 www.elastic.co 所有
本地英文版地址: ../en/enable-audit-logging.html
重要: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 当前版本文档
Elasticsearch Guide [7.7] » Secure a cluster » Enabling audit logging
« Customizing roles and authorization Audit event types »

Enabling audit loggingedit

You can log security-related events such as authentication failures and refused connections to monitor your cluster for suspicious activity. Audit logging also provides forensic evidence in the event of an attack.

Audit logs are disabled by default. You must explicitly enable audit logging.

To enable enable audit logging:

  1. Set xpack.security.audit.enabled to true in elasticsearch.yml.
  2. Restart Elasticsearch.

When audit logging is enabled, security events are persisted to a dedicated <clustername>_audit.json file on the host’s file system (on each node).

You can configure additional options to control what events are logged and what information is included in the audit log. For more information, see Auditing settings.

« Customizing roles and authorization Audit event types »