elasticsearch-audit
Original:🇺🇸 English
Translated
Enable, configure, and query Elasticsearch security audit logs. Use when the task involves audit logging setup, event filtering, or investigating security incidents like failed logins.
3installs
Sourceelastic/agent-skills
Added on
NPX Install
npx skill4agent add elastic/agent-skills elasticsearch-auditTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →Elasticsearch Audit Logging
Enable and configure security audit logging for Elasticsearch via the cluster settings API. Audit logs record security
events such as authentication attempts, access grants and denials, role changes, and API key operations — essential for
compliance and incident investigation.
For Kibana audit logging (saved object access, login/logout, space operations), see kibana-audit. For authentication
and API key management, see elasticsearch-authn. For roles and user management, see elasticsearch-authz. For
diagnosing security errors, see elasticsearch-security-troubleshooting.
For detailed API endpoints and event types, see references/api-reference.md.
Deployment note: Audit logging configuration differs across deployment types. See Deployment Compatibility for details.
Jobs to Be Done
- Enable or disable security audit logging on a cluster
- Select which security events to record (authentication, access, config changes)
- Create filter policies to reduce audit log noise
- Query audit logs for failed authentication attempts
- Investigate unauthorized access or privilege escalation incidents
- Set up compliance-focused audit configuration
- Detect brute-force login patterns from audit data
- Configure audit output to an index for programmatic querying
Prerequisites
| Item | Description |
|---|---|
| Elasticsearch URL | Cluster endpoint (e.g. |
| Authentication | Valid credentials (see the elasticsearch-authn skill) |
| Cluster privileges | |
| License | Audit logging requires a gold, platinum, enterprise, or trial license |
Prompt the user for any missing values.
Enable Audit Logging
Enable audit logging dynamically without a restart:
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.enabled": true
}
}'To disable, set to . Verify current state:
xpack.security.audit.enabledfalsebash
curl "${ELASTICSEARCH_URL}/_cluster/settings?include_defaults=true&flat_settings=true" \
<auth_flags> | jq '.defaults | with_entries(select(.key | startswith("xpack.security.audit")))'Audit Output
Audit events can be written to two outputs. Both can be active simultaneously.
| Output | Setting value | Description |
|---|---|---|
| logfile | | Written to |
| index | | Written to |
Configure output via API
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.enabled": true,
"xpack.security.audit.outputs": ["index", "logfile"]
}
}'The output is required for programmatic querying of audit events. The output is useful for shipping to
external SIEM tools via Filebeat.
indexlogfileNote: On self-managed clusters,may require a static setting inxpack.security.audit.outputson older versions (pre-8.x). On 8.x+, prefer the cluster settings API.elasticsearch.yml
Select Events to Record
Control which event types are included or excluded. By default, all events are recorded when audit is enabled.
Include specific events only
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.logfile.events.include": [
"authentication_failed",
"access_denied",
"access_granted",
"anonymous_access_denied",
"tampered_request",
"run_as_denied",
"connection_denied"
]
}
}'Exclude noisy events
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.logfile.events.exclude": [
"access_granted"
]
}
}'Excluding significantly reduces log volume on busy clusters — use this when only failures matter.
access_grantedEvent types reference
| Event | Fires when |
|---|---|
| Credentials were rejected |
| User authenticated successfully |
| An authorized action was performed |
| An action was denied due to insufficient privileges |
| An unauthenticated request was rejected |
| A request was detected as tampered with |
| A node joined the cluster (transport layer) |
| A node connection was rejected |
| A run-as impersonation was authorized |
| A run-as impersonation was denied |
| A security setting was changed (role, user, API key, etc.) |
See references/api-reference.md for the complete event type list with field details.
Filter Policies
Filter policies let you suppress specific audit events by user, realm, role, or index without disabling the event type
globally. Multiple policies can be active — an event is logged only if no policy filters it out.
Ignore system and internal users
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.logfile.events.ignore_filters": {
"system_users": {
"users": ["_xpack_security", "_xpack", "elastic/fleet-server"],
"realms": ["_service_account"]
}
}
}
}'Ignore health-check traffic on specific indices
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.logfile.events.ignore_filters": {
"health_checks": {
"users": ["monitoring-user"],
"indices": [".monitoring-*"]
}
}
}
}'Filter policy fields
| Field | Type | Description |
|---|---|---|
| array[string] | Usernames to exclude (supports wildcards) |
| array[string] | Realm names to exclude |
| array[string] | Role names to exclude |
| array[string] | Index names or patterns to exclude (supports |
| array[string] | Action names to exclude (e.g. |
An event is filtered out if it matches all specified fields within a single policy.
Remove a filter policy
Set the policy to :
nullbash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.logfile.events.ignore_filters.health_checks": null
}
}'Query Audit Events
When the output is enabled, audit events are stored in indices and can be queried.
index.security-audit-*Search for failed authentication attempts
bash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "event.action": "authentication_failed" } },
{ "range": { "@timestamp": { "gte": "now-24h" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "desc" } }],
"size": 50
}'Search for access denied events on a specific index
bash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "event.action": "access_denied" } },
{ "term": { "indices": "logs-*" } },
{ "range": { "@timestamp": { "gte": "now-7d" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "desc" } }],
"size": 20
}'Search for security configuration changes
bash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "event.action": "security_config_change" } },
{ "range": { "@timestamp": { "gte": "now-7d" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "desc" } }],
"size": 50
}'This captures role creation/deletion, user changes, API key operations, and role mapping updates.
Count events by type and detect brute-force patterns
Use aggregations on (with ) to count events by type over a time window. To detect
brute-force attempts, aggregate events by with . See
references/api-reference.md for full aggregation query examples.
termsevent.actionsize: 0authentication_failedsource.ipmin_doc_count: 5Correlate with Kibana Audit Logs
Kibana has its own audit log covering application-layer events that Elasticsearch does not see (saved object CRUD,
Kibana logins, space operations). When a user performs an action in Kibana, Kibana makes requests to Elasticsearch on
the user's behalf. Both systems record the same (passed via the header), which serves as the
primary correlation key.
trace.idX-Opaque-IdPrerequisite: Kibana audit must be enabled separately in. See the kibana-audit skill for setup instructions, event types, and Kibana-specific filter policies.kibana.yml
Find ES audit events triggered by a Kibana action
Given a from a Kibana audit event, search the ES audit index to see the underlying Elasticsearch operations:
trace.idbash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "trace.id": "'"${TRACE_ID}"'" } },
{ "range": { "@timestamp": { "gte": "now-24h" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "asc" } }]
}'Correlate by user and time window
When is unavailable (e.g. direct API calls), fall back to user + time-window correlation:
trace.idbash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "term": { "user.name": "'"${USERNAME}"'" } },
{ "range": { "@timestamp": { "gte": "now-5m" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "asc" } }]
}'Secondary correlation fields: , , and .
user.namesource.ip@timestampUnified querying
Ship Kibana audit logs to Elasticsearch via Filebeat (see kibana-audit for the Filebeat config) so that both
(ES) and (Kibana) indices can be searched together in a single multi-index query
filtered by .
.security-audit-*kibana-audit-*trace.idExamples
Enable audit logging for compliance
Request: "Enable audit logging and record all failed access and authentication events."
bash
curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"persistent": {
"xpack.security.audit.enabled": true,
"xpack.security.audit.logfile.events.include": [
"authentication_failed",
"access_denied",
"anonymous_access_denied",
"run_as_denied",
"connection_denied",
"tampered_request",
"security_config_change"
]
}
}'This captures all denial and security change events while excluding high-volume success events.
Investigate a suspected unauthorized access attempt
Request: "Someone may have tried to access the index. Check the audit logs."
secrets-*bash
curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
<auth_flags> \
-H "Content-Type: application/json" \
-d '{
"query": {
"bool": {
"filter": [
{ "terms": { "event.action": ["access_denied", "authentication_failed"] } },
{ "wildcard": { "indices": "secrets-*" } },
{ "range": { "@timestamp": { "gte": "now-48h" } } }
]
}
},
"sort": [{ "@timestamp": { "order": "desc" } }],
"size": 100
}'Review , , and in the results to identify the actor and pattern.
user.namesource.ipevent.actionReduce audit noise on a busy cluster
Request: "Audit logs are too large. Filter out monitoring traffic and successful reads."
Exclude from event types, then add a filter policy for monitoring users and indices. See
Filter Policies for the full syntax.
access_grantedGuidelines
Prefer index output for programmatic access
Enable the output to make audit events queryable. The output is better for shipping to external SIEM
tools via Filebeat but cannot be queried through the Elasticsearch API.
indexlogfileStart restrictive, then widen
Begin with failure events only (, , ). Add success events
only when needed — they generate high volume.
authentication_failedaccess_deniedsecurity_config_changeUse filter policies instead of disabling events
Suppress specific users or indices with filter policies rather than excluding entire event types.
Monitor audit index size
Set up an ILM policy to roll over and delete old indices. A 30-90 day retention is typical.
.security-audit-*Enable Kibana audit for full coverage
For application-layer events (saved object access, Kibana logins, space operations), enable Kibana audit logging as
well. See the kibana-audit skill for setup. Use to correlate — see
Correlate with Kibana Audit Logs above.
trace.idAvoid superuser credentials
Use a dedicated admin user or API key with privileges. Reserve for emergency recovery only.
manageelasticDeployment Compatibility
| Capability | Self-managed | ECH | Serverless |
|---|---|---|---|
| ES audit via cluster settings | Yes | Yes | Not available |
| ES logfile output | Yes | Via Cloud UI | Not available |
| ES index output | Yes | Yes | Not available |
| Filter policies via cluster settings | Yes | Yes | Not available |
Query | Yes | Yes | Not available |
ECH notes: ES audit is configured via the cluster settings API. Logfile output is accessible through the Cloud
console deployment logs. Index output works the same as self-managed.
Serverless notes:
- Audit logging is not user-configurable on Serverless. Security events are managed by Elastic as part of the platform.
- If a user asks about auditing on Serverless, direct them to the Elastic Cloud console or their account team.