Ambiguous documentation for audit logs

Elasticsearch documentation is ambiguous in audit logs section. Literally says:

If configured, auditing settings must be set on every node in the cluster.

Is that correct? I think with only 1 node we can get all audit logs, the I have a few questions:

  1. Is any node with any role valid to extract the audit events?

  2. The management of the audit event logs that comes by default does not have any type of deletion or storage in Log4j. Is this normal? In principle, it must have a normal retention so that it does not cause any problem.

  3. Is it possible to update the documentation and change the default behavior of Elasticsearch regarding these logs? If it is possible, how can you make a request to update the elastic code?

Greetings and thank you very much in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.