Elasticsearch Xpack.security.audit.outputs: [index, logfile] in 7.x?

Question

In Elasticsearch, uptil version 6.2 the security audits could be sent to an Elasticsearch index by setting this line in elasticsearch.yml file

xpack.security.audit.outputs: [ index, logfile ]

https://www.elastic.co/guide/en/x-pack/current/auditing.html#audit-log-settings

In version 7.x the audit logs can be only written to clustername_audit.json or console.

My question is how can the audit logs be sent to an ES index version 7.x, just like 6.2? Is there any such option anymore?

Thanks!

score 1 · Accepted Answer · answered Jan 09 '20 at 11:30

Yap, the option to send the audit logs directly to an index is gone... You should install a Filebeat on each of the elasticsearch machines and feed the audit-log into the cluster the same way you should do with the cluster log.

https://www.elastic.co/de/blog/indexing-elasticsearch-audit-logs-with-filebeat

Elasticsearch Xpack.security.audit.outputs: [index, logfile] in 7.x?

1 Answers1