I run an Elasticsearch 7.3.0 6-node cluster on three machines (one coordinating-only and one mdi-node each) via docker-compose.
I've set up security via certificates/pki.
Now I want to enable the auditing feature as described in this guide.
Therefore I set these settings in each elasticsearch service:
xpack.security.audit.enabled: "true" xpack.security.audit.logfile.events.emit_request_body: "true"
As stated in the guide, a file with the pattern '<clustername>_audit.json' should be generated in the logs directory.
However, there is no such file on any node when I jump into my containers via docker exec (only gc files).
What do I miss here? Do I have to explicitely configure a logger for this?