I added
xpack.security.audit.enabled: true
to my elasticsearch.yml
I expected to see cluster-name_audit.log, but I found cluster_name_access.log. I finally found doc explaining there should be both files, but I can't find any audit.log.
I guess the files would be the same, just duplicated?
The name of the audit log file was changed to <clustername>_index.login version 6.5, before that the file was named <clustername>_access.log but we kept the old file name around for compatibility reasons.
As mentioned in the doc you linked above (which is for version 6.6)
For backwards compatibility reasons, a file named
<clustername>_access.logis also generated.
This means that since you only see <clustername>_access.log, you are probably running Elasticsearch on a version before 6.5 and there is nothing wrong, or nothing more you need to do.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.