Index audit output

(Terje Sannum) #1

I'm trying to start elasticsearch with the index audit logging enabled, but the x-pack plugin are not able to write the events to the cluster. In the logs I only get a lot of these messages:

failed to index audit event: [access_granted]. internal queue is full, which may be caused by a high indexing rate or issue with the destination

Enabling debug logging, I found this:

security audit index template [security_audit_log] does not exist, so service cannot start

How do I install that template?

(elasticsearch 5.1.1)

(Jay Modi) #2

The template is installed by the master node. Do you have the index output enabled on all nodes including the master?

(Terje Sannum) #3

Thanks, enabling index logging on all nodes worked.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.