I'm using elk stack in version 6.8.3, I have enabled security function, it's OK. Each beats needs an account to send logs to elasticsearch.
But I would like to track the authentication failed from agent and from Kibana.
I have this in elasticsearch.yml :
xpack.security.audit.outputs: [ "logfile" ]
xpack.security.audit.logfile.events.include: ["access_denied", "authentication_failed", "connection_denied", "anonymous_access_denied", "run_as_denied"]
I have put this on each node.
and in kibana.yml I have this :
I have restarted kibana and elasticsearch, I have configured winlogbeat with a wrong password, I don't see this server in my access.log or audit.log.
I see information in gc.log.0.current but it's not interesting.
What I have missed ?
Thank you for your help.