Index audit output

terje · December 13, 2016, 3:37pm

I'm trying to start elasticsearch with the index audit logging enabled, but the x-pack plugin are not able to write the events to the cluster. In the logs I only get a lot of these messages:

failed to index audit event: [access_granted]. internal queue is full, which may be caused by a high indexing rate or issue with the destination

Enabling debug logging, I found this:

security audit index template [security_audit_log] does not exist, so service cannot start

How do I install that template?

(elasticsearch 5.1.1)

jaymode · December 13, 2016, 4:26pm

The template is installed by the master node. Do you have the index output enabled on all nodes including the master?

terje · December 16, 2016, 9:49am

Thanks, enabling index logging on all nodes worked.

system · January 13, 2017, 9:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to index Elasticsearch security audit events in 7.0? Elasticsearch	1	312	May 17, 2019
Audit Logging Issue Elasticsearch	5	1648	August 15, 2017
How to lower the burden of audit log Elasticsearch	1	430	March 12, 2019
Xpack.Security.Audit.Index-Information Elasticsearch elastic-stack-security	3	353	July 11, 2019
Enabling audit in 6.3.0 writes to <cluster>.log not to <cluster>_access.log Elasticsearch	3	584	September 11, 2018

Index audit output

Related topics