Audit logs or other way to ensure integrity of the logs

raulgs · September 3, 2020, 6:35am

Hi all,

I am wondering if audit logging like described here (https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html) is also available for elastic cloud on kubernetes deployments. If so I am wondering about where the _audit.json file is being stored, if it is protected against deletion and if it also logs events like for example index deletion?

I am trying to ensure that in case that someone unauthorized gets access to the cluster and for example tries to delete his traces we do have logs that show it.

sebgl · September 3, 2020, 7:18am

You can set xpack.security.audit.enabled : true in the config section of the Elasticsearch resource.

All audit logs end up in stdout by default.

One way to grab those is to setup filebeat so all logs from the Elasticsearch Pods are sent to a single logging cluster.

raulgs · September 3, 2020, 8:34am

Awesome thanks for you fast response
Filebeats detects the audit logs and they can be filtered with fileset.name: audit

Is there also a way to protect the specific index from being deleted?

Topic		Replies	Views
ES K8s (AKS) auditlogs via filebeat Beats filebeat	6	2261	May 1, 2020
Audit logging in Elastic Cloud Kibana	3	215	January 31, 2024
Logs of an Elasticsearch Elastic Cloud on Kubernetes (ECK)	6	1068	November 4, 2022
Auditbeat, filebeat and journalbeat in kubernetes Beats elastic-stack-security , filebeat , elastic-agent	2	470	January 12, 2022
How to confirm audit logging is enabled Elasticsearch	4	375	June 16, 2021

Audit logs or other way to ensure integrity of the logs

Related topics