mtudisco
(mtudisco)
June 24, 2020, 7:22pm
1
Hi,
I'm trying to enable audit loging in elasticsearch, i have a 3 node cluster and on each elasticsearch.yml i added:
xpack.security.audit.enabled: true
xpack.security.audit.logfile.emit_node_host_address: true
Then i try to make some request to see if it is auditing, i execute:
curl --noproxy 192.168.90.226 --cacert /etc/elasticsearch/certs/ca.crt -u elastic -XGET https://192.168.90.226:9200/_cat/nodes?v
when prompted for password i put the correct one and in another try a wrong password. Nothing is generated in the es-cluster_audit.json file on any node.
I'm using elasticsearch 7.4.
Any idea why i'm not getting a failed login?
thanks
warkolm
(Mark Walkom)
June 24, 2020, 9:58pm
2
What license do you have?
Audit logging is Gold and above - https://www.elastic.co/subscriptions
mtudisco
(mtudisco)
June 24, 2020, 10:27pm
3
I'm using the free license, but auditing is part of xpack and xpack is now open
We've opened the code for X-Pack features: security, alerting, monitoring, reporting, graph analytics, dedicated APM UIs, and machine learning.
Shouldnt it work?
warkolm
(Mark Walkom)
June 24, 2020, 10:29pm
4
If you check that last link you'll see there's a difference based on license levels.
mtudisco
(mtudisco)
June 25, 2020, 12:36am
5
so you are saying that even though auditing is part of xpack and xpack is now open, auditing requires gold license, as well as for instance Active Directory integration?
warkolm
(Mark Walkom)
June 25, 2020, 12:59am
6
Yep, that has always been the case.
dadoonet
(David Pilato)
June 25, 2020, 5:45am
7
While the code for X-Pack is available in a public repository, we do not claim that it is "Open Source" . See Subscriptions about the different features available.
The default distribution of Elasticsearch includes all of X-Pack, but the default license is "basic".
You can activate a free trial of the commercial features via Kibana (Management -> License) or via the API .
system
(system)
Closed
July 23, 2020, 5:45am
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.