Ambiguous documentation for audit logs

cmendez92 · May 11, 2022, 9:14pm

Elasticsearch documentation is ambiguous in audit logs section. Literally says:

If configured, auditing settings must be set on every node in the cluster.

Is that correct? I think with only 1 node we can get all audit logs, the I have a few questions:

Is any node with any role valid to extract the audit events?
The management of the audit event logs that comes by default does not have any type of deletion or storage in Log4j. Is this normal? In principle, it must have a normal retention so that it does not cause any problem.
Is it possible to update the documentation and change the default behavior of elasticsearch regarding these logs? If it is possible, how can you make a request to update the elastic code?

Greetings and thank you very much in advance

system · June 8, 2022, 9:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch Audit Logs are Incomplete and lacks important information Elasticsearch elastic-stack-monitoring , elastic-stack-security	1	12	December 20, 2024
Issues with Audit Log Elasticsearch	8	1236	January 4, 2018
Elasticsearch Audit not supported, but still got entries Elasticsearch	4	534	January 11, 2021
Audit logs stop on certain nodes in cluster Elasticsearch elastic-stack-security	8	378	March 6, 2023
Elasticsearch Auditing Files in docker container can not be found Elasticsearch docker	3	591	November 11, 2019