How to lower the burden of audit log

(ivan yu) #1


My cluster broke down several times and the elasticsearch log says:
failed to index audit event:[access_granted]. internal queue is full. which may be caused by a high indexing rate or issue with the destination

And after I disable the audit, the cluster is stable until now.
But because of company policy, we need to record the audit.
So my question is how to solve the above problem? Is it helpful to increase some of the internal queue or just send the audit log to another elasticsearch cluster?