Good afternoon,
I am looking to have the xpack.security.audit.enabled on my ES cluster however I was looking to understand where this should be enabled at\on. I have multiple nodes within my cluster, each with different roles (data\master\coordinating) Logic would dictate that this should be enabled on my coordinating nodes however after doing a bit more reading, I am seeing some I\O concerns when querying etc. I am assuming that even though this is enabled on the coordinating node(s), the index (when created) will be handled by the data nodes respectively so I\O shouldn't be a concern. Can someone please confirm this when time permits?

You should enable auditing on every node.

Events are audited on the nodes on which they happen. For most events that will be the coordinating node, but you will miss things if you don't audit on the data (and even master) nodes.

Awesome. Thanks Tim. I’ll work to get that done. Appreciate you getting back to me.