Index audit output

I'm trying to start elasticsearch with the index audit logging enabled, but the x-pack plugin are not able to write the events to the cluster. In the logs I only get a lot of these messages:

failed to index audit event: [access_granted]. internal queue is full, which may be caused by a high indexing rate or issue with the destination

Enabling debug logging, I found this:

security audit index template [security_audit_log] does not exist, so service cannot start

How do I install that template?

(elasticsearch 5.1.1)

The template is installed by the master node. Do you have the index output enabled on all nodes including the master?

Thanks, enabling index logging on all nodes worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.