Elasticsearch documentation is ambiguous in audit logs section. Literally says:
If configured, auditing settings must be set on every node in the cluster.
Is that correct? I think with only 1 node we can get all audit logs, the I have a few questions:
-
Is any node with any role valid to extract the audit events?
-
The management of the audit event logs that comes by default does not have any type of deletion or storage in Log4j. Is this normal? In principle, it must have a normal retention so that it does not cause any problem.
-
Is it possible to update the documentation and change the default behavior of elasticsearch regarding these logs? If it is possible, how can you make a request to update the elastic code?
Greetings and thank you very much in advance