Audit logging in elasticsearch

I'm trying to enable audit loging in elasticsearch, i have a 3 node cluster and on each elasticsearch.yml i added: true true

Then i try to make some request to see if it is auditing, i execute:

curl --noproxy --cacert /etc/elasticsearch/certs/ca.crt -u elastic -XGET

when prompted for password i put the correct one and in another try a wrong password. Nothing is generated in the es-cluster_audit.json file on any node.

I'm using elasticsearch 7.4.

Any idea why i'm not getting a failed login?


What license do you have?

Audit logging is Gold and above -

I'm using the free license, but auditing is part of xpack and xpack is now open

Shouldnt it work?

If you check that last link you'll see there's a difference based on license levels.

so you are saying that even though auditing is part of xpack and xpack is now open, auditing requires gold license, as well as for instance Active Directory integration?

Yep, that has always been the case.

While the code for X-Pack is available in a public repository, we do not claim that it is "Open Source". See Subscriptions about the different features available.

The default distribution of Elasticsearch includes all of X-Pack, but the default license is "basic".

You can activate a free trial of the commercial features via Kibana (Management -> License) or via the API.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.