Unable to get audit logs on authentication_failed

ChrisR · February 21, 2020, 4:26pm

I enabled xpack security auditing in elasticsearch.yml on all nodes and restarted the elasticsearch cluster (version 6.8), but I am not seeing any audit log or access log when an http request fails authentication.

xpack.security.audit.enabled: true

What am I doing wrong?

I followed this documentation: https://www.elastic.co/guide/en/elasticsearch/reference/6.8/auditing-settings.html

It is the same issue as this unresolved one: Audit authentication failed

Thanks in advance for any help.

spinscale · February 24, 2020, 9:10am

Did you restart your nodes after adding that setting? Also, please show all the files in your log directory.

ChrisR · February 24, 2020, 1:46pm

Yes, I restarted all nodes in the cluster. Here are the log files:

# pwd
/var/log/elasticsearch

# ls -ls
total 2041380
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109473 Feb 23 05:07 gc.log.0
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67108973 Nov 29 18:38 gc.log.10
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67108994 Dec  3 12:25 gc.log.11
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109039 Dec  6 22:16 gc.log.12
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109086 Dec  9 19:09 gc.log.13
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109203 Dec 12 06:18 gc.log.14
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109010 Dec 14 16:46 gc.log.15
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109270 Dec 16 16:04 gc.log.16
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109283 Dec 18 12:35 gc.log.17
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109384 Dec 20 12:29 gc.log.18
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109015 Dec 22 10:18 gc.log.19
44604 -rw-r--r--. 1 elasticsearch elasticsearch 45667446 Feb 24 13:41 gc.log.1.current
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109318 Feb 16 09:21 gc.log.2
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109431 Dec 24 11:40 gc.log.20
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109412 Dec 26 16:03 gc.log.21
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109440 Dec 28 13:17 gc.log.22
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109158 Dec 30 19:39 gc.log.23
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67108978 Jan  1 12:50 gc.log.24
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109067 Jan  3 04:00 gc.log.25
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109462 Jan  4 16:06 gc.log.26
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109483 Jan  6 06:24 gc.log.27
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109405 Jan  8 09:31 gc.log.28
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109051 Jan 11 02:38 gc.log.29
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109173 Feb 18 23:34 gc.log.3
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109374 Jan 13 10:43 gc.log.30
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109049 Jan 15 14:14 gc.log.31
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109135 Feb 20 05:38 gc.log.4
30456 -rw-r--r--. 1 elasticsearch elasticsearch 31181876 Feb 20 18:20 gc.log.5.current
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109044 Nov 18 02:25 gc.log.6
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109378 Nov 20 20:45 gc.log.7
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109315 Nov 23 23:45 gc.log.8
65544 -rw-r--r--. 1 elasticsearch elasticsearch 67109300 Nov 26 17:59 gc.log.9

# pwd
/elasticsearch/logs
# ls -lsh
total 458M
104K -rw-r--r--. 1 elasticsearch elasticsearch 104K Jul 30  2019 gc-gc-2019-07-29-1.log.gz
4.0K -rw-r--r--. 1 elasticsearch elasticsearch 2.9K Jul 31  2019 gc-gc-2019-07-30-1.log.gz
4.0K -rw-r--r--. 1 elasticsearch elasticsearch 2.9K Aug  1  2019 gc-gc-2019-07-31-1.log.gz
4.0K -rw-r--r--. 1 elasticsearch elasticsearch 3.0K Aug  2  2019 gc-gc-2019-08-01-1.log.gz
 64K -rw-r--r--. 1 elasticsearch elasticsearch  64K Aug  3  2019 gc-gc-2019-08-02-1.log.gz
...
4.5M -rw-r--r--. 1 elasticsearch elasticsearch 4.5M Feb 22 07:18 gc-gc-2020-02-22-7.log.gz
4.8M -rw-r--r--. 1 elasticsearch elasticsearch 4.8M Feb 22 07:36 gc-gc-2020-02-22-8.log.gz
4.7M -rw-r--r--. 1 elasticsearch elasticsearch 4.7M Feb 22 08:02 gc-gc-2020-02-22-9.log.gz
3.4M -rw-r--r--. 1 elasticsearch elasticsearch 3.4M Feb 23 11:58 gc-gc-2020-02-23-10.log.gz
1.8M -rw-r--r--. 1 elasticsearch elasticsearch 1.8M Feb 23 12:02 gc-gc-2020-02-23-11.log.gz
4.4M -rw-r--r--. 1 elasticsearch elasticsearch 4.4M Feb 23 13:02 gc-gc-2020-02-23-12.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.6M Feb 23 14:30 gc-gc-2020-02-23-13.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 15:59 gc-gc-2020-02-23-14.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 17:28 gc-gc-2020-02-23-15.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 18:57 gc-gc-2020-02-23-16.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 20:25 gc-gc-2020-02-23-17.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.7M Feb 23 21:54 gc-gc-2020-02-23-18.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.7M Feb 23 23:23 gc-gc-2020-02-23-19.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 01:23 gc-gc-2020-02-23-1.log.gz
1.6M -rw-r--r--. 1 elasticsearch elasticsearch 1.6M Feb 24 00:00 gc-gc-2020-02-23-20.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 02:47 gc-gc-2020-02-23-2.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 04:11 gc-gc-2020-02-23-3.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.7M Feb 23 05:35 gc-gc-2020-02-23-4.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 06:58 gc-gc-2020-02-23-5.log.gz
4.7M -rw-r--r--. 1 elasticsearch elasticsearch 4.7M Feb 23 07:22 gc-gc-2020-02-23-6.log.gz
4.3M -rw-r--r--. 1 elasticsearch elasticsearch 4.3M Feb 23 08:03 gc-gc-2020-02-23-7.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 23 09:26 gc-gc-2020-02-23-8.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.7M Feb 23 10:50 gc-gc-2020-02-23-9.log.gz
3.2M -rw-r--r--. 1 elasticsearch elasticsearch 3.2M Feb 24 11:31 gc-gc-2020-02-24-10.log.gz
3.0M -rw-r--r--. 1 elasticsearch elasticsearch 3.0M Feb 24 12:59 gc-gc-2020-02-24-11.log.gz
3.8M -rw-r--r--. 1 elasticsearch elasticsearch 3.8M Feb 24 01:28 gc-gc-2020-02-24-1.log.gz
3.7M -rw-r--r--. 1 elasticsearch elasticsearch 3.7M Feb 24 02:57 gc-gc-2020-02-24-2.log.gz
3.6M -rw-r--r--. 1 elasticsearch elasticsearch 3.6M Feb 24 04:27 gc-gc-2020-02-24-3.log.gz
3.1M -rw-r--r--. 1 elasticsearch elasticsearch 3.1M Feb 24 06:01 gc-gc-2020-02-24-4.log.gz
4.0M -rw-r--r--. 1 elasticsearch elasticsearch 4.0M Feb 24 07:02 gc-gc-2020-02-24-5.log.gz
4.8M -rw-r--r--. 1 elasticsearch elasticsearch 4.8M Feb 24 07:30 gc-gc-2020-02-24-6.log.gz
4.8M -rw-r--r--. 1 elasticsearch elasticsearch 4.8M Feb 24 07:53 gc-gc-2020-02-24-7.log.gz
4.0M -rw-r--r--. 1 elasticsearch elasticsearch 4.0M Feb 24 08:50 gc-gc-2020-02-24-8.log.gz
3.3M -rw-r--r--. 1 elasticsearch elasticsearch 3.3M Feb 24 10:09 gc-gc-2020-02-24-9.log.gz
   0 -rw-r--r--. 1 elasticsearch elasticsearch    0 Jul 29  2019 gc-gc_access.log
   0 -rw-r--r--. 1 elasticsearch elasticsearch    0 Jul 29  2019 gc-gc_audit.log
3.5M -rw-r--r--. 1 elasticsearch elasticsearch 3.5M Feb 24 05:55 gc-gc_deprecation.log
   0 -rw-r--r--. 1 elasticsearch elasticsearch    0 Jul 29  2019 gc-gc_index_indexing_slowlog.log
   0 -rw-r--r--. 1 elasticsearch elasticsearch    0 Jul 29  2019 gc-gc_index_search_slowlog.log
 63M -rw-r--r--. 1 elasticsearch elasticsearch  63M Feb 24 13:42 gc-gc.log

spinscale · March 12, 2020, 10:29am

Audit logging requires at least a gold license. What license are you on?

For more information, see https://www.elastic.co/subscriptions

system · April 9, 2020, 10:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audit authentication failed Elasticsearch	1	511	February 21, 2020
Audit Logging Issue Elasticsearch	5	1648	August 15, 2017
Audit Logs not showing Elasticsearch	1	403	March 30, 2020
Audit logging in elasticsearch Elasticsearch	7	424	July 23, 2020
Collect logs about users logging in to Kibana Kibana	4	8087	December 13, 2019

Unable to get audit logs on authentication_failed

Related topics