Just enabled auditing and noticed in the .security-audit index that the node_host_name is always the ip address of the node. Not sure, but isn't this supposed to be the hostname of the node? the node_name also seems to be empty?
In /etc/elasticsearch/elasticsearch.yml I have defined:
xpack.security.audit.enabled: true xpack.security.audit.outputs: [ index, logfile ] xpack.security.audit.index.settings: index: number_of_shards: 1 number_of_replicas: 1
The .monitoring indexes do seem to list the hostname in source_node.name field.
Am I missing something?