Audit logs or other way to ensure integrity of the logs

Hi all,

I am wondering if audit logging like described here (https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html) is also available for elastic cloud on kubernetes deployments. If so I am wondering about where the _audit.json file is being stored, if it is protected against deletion and if it also logs events like for example index deletion?

I am trying to ensure that in case that someone unauthorized gets access to the cluster and for example tries to delete his traces we do have logs that show it.

You can set xpack.security.audit.enabled : true in the config section of the Elasticsearch resource.

All audit logs end up in stdout by default.

One way to grab those is to setup filebeat so all logs from the Elasticsearch Pods are sent to a single logging cluster.

1 Like

Awesome thanks for you fast response :slight_smile:
Filebeats detects the audit logs and they can be filtered with fileset.name: audit

Is there also a way to protect the specific index from being deleted?