Elasticsearch Mastering Elasticsearch Audit Logging for Enhanced Security and Compliance

By Opster Team

Updated: Oct 31, 2023

| 2 min read

Quick links


Elasticsearch Audit Logging is a critical component in maintaining the security and compliance of your Elasticsearch clusters. It provides a detailed record of all activities and changes that occur within the cluster, allowing administrators to monitor, troubleshoot, and audit operations effectively.

It is worth noting that the audit log feature requires at least a Platinum license. However, you can still try this feature by converting your basic license to a trial one, which gives you access to all features for 30 days.

Understanding the Importance of Audit Logging

Audit logging is essential for several reasons. It helps in identifying unauthorized access attempts, tracking changes made to the cluster, and ensuring compliance with various regulatory standards. By keeping a detailed record of all activities, administrators can quickly identify and respond to potential security threats, ensuring the integrity and security of the data stored within the Elasticsearch cluster.

Configuring Elasticsearch Audit Logging

To enable audit logging in Elasticsearch, you need to make changes to the `elasticsearch.yml` configuration file. Here are the steps to follow:

1. Open the `elasticsearch.yml` file in a text editor.
2. Add the following lines to the file:

xpack.security.audit.enabled: true

This line enables the audit logging feature.

3. Save and close the file.
4. Restart the Elasticsearch service for the changes to take effect.

By default, Elasticsearch logs most of the auditable events, such as access_denied, access_granted, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted, security_config_change.

However, you can customize the types of events that are logged by modifying the `xpack.security.audit.logfile.events.include` and `xpack.security.audit.logfile.events.exclude` settings in the `elasticsearch.yml` file.

Understanding Audit Log Events

Elasticsearch audit logs contain a wealth of information about each event, including the event type, the user who performed the action, the action’s timestamp, and more. Here are some of the key fields you’ll find in an audit log entry:

– `event.type`: This field indicates the origin of the event, such as rest, transport, ip_filter, security_config_change or local_node.
– `event.action`: This field describes the kind of action that was performed, such as authentication_success, authentication_failed, user_logged_in or access_denied.
– `user.name`: This field shows the name of the user who performed the action.
– `timestamp`: This field shows the date and time when the event occurred.

Analyzing Audit Logs

Analyzing audit logs can provide valuable insights into the operations and security of your Elasticsearch cluster. For instance, by monitoring authentication_failed events, you can identify potential brute force attacks. Similarly, by tracking access_granted events, you can ensure that users only have access to the data they are supposed to.

When enabled, audit logs are logged into a file called `{cluster.name}_audit.log`. So, to analyze audit logs, you must first ingest the audit logs file into an index, using Filebeat for instance. When done, you can use the Elasticsearch query DSL to search for specific events or patterns. For example, the following query returns all authentication_failed events:

GET /my_audit_log/_search
  "query": {
    "match": {
      "event.action": "authentication_failed"


In conclusion, Elasticsearch Audit Logging is a powerful tool for maintaining the security and compliance of your Elasticsearch clusters. By understanding how to enable, configure, and analyze audit logs, you can effectively monitor and control access to your data, ensuring the integrity and security of your Elasticsearch environment. 

How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?