Audit logging in elasticsearch

Elastic Stack Elasticsearch
1

Hi,
I'm trying to enable audit loging in elasticsearch, i have a 3 node cluster and on each elasticsearch.yml i added:

xpack.security.audit.enabled: true
xpack.security.audit.logfile.emit_node_host_address: true

Then i try to make some request to see if it is auditing, i execute:

curl --noproxy 192.168.90.226 --cacert /etc/elasticsearch/certs/ca.crt -u elastic -XGET https://192.168.90.226:9200/_cat/nodes?v

when prompted for password i put the correct one and in another try a wrong password. Nothing is generated in the es-cluster_audit.json file on any node.

I'm using elasticsearch 7.4.

Any idea why i'm not getting a failed login?

thanks

2

What license do you have?

Audit logging is Gold and above - https://www.elastic.co/subscriptions

3

I'm using the free license, but auditing is part of xpack and xpack is now open

Shouldnt it work?

4

If you check that last link you'll see there's a difference based on license levels.

5

so you are saying that even though auditing is part of xpack and xpack is now open, auditing requires gold license, as well as for instance Active Directory integration?

6

Yep, that has always been the case.

7

While the code for X-Pack is available in a public repository, we do not claim that it is "Open Source". See Subscriptions about the different features available.

The default distribution of Elasticsearch includes all of X-Pack, but the default license is "basic".

You can activate a free trial of the commercial features via Kibana (Management -> License) or via the API.