elasticsearch-audit

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Elasticsearch Audit Logging

Elasticsearch安全审计日志

Enable and configure security audit logging for Elasticsearch via the cluster settings API. Audit logs record security events such as authentication attempts, access grants and denials, role changes, and API key operations — essential for compliance and incident investigation.

For Kibana audit logging (saved object access, login/logout, space operations), see kibana-audit. For authentication and API key management, see elasticsearch-authn. For roles and user management, see elasticsearch-authz. For diagnosing security errors, see elasticsearch-security-troubleshooting.

For detailed API endpoints and event types, see references/api-reference.md.

Deployment note: Audit logging configuration differs across deployment types. See Deployment Compatibility for details.

通过集群设置API为Elasticsearch启用并配置安全审计日志。审计日志会记录安全事件，如认证尝试、访问授权与拒绝、角色变更以及API密钥操作——这些对于合规性要求和事件调查至关重要。

有关Kibana审计日志（已保存对象访问、登录/登出、空间操作），请查看kibana-audit。有关认证和API密钥管理，请查看elasticsearch-authn。有关角色和用户管理，请查看elasticsearch-authz。有关安全错误排查，请查看elasticsearch-security-troubleshooting。

有关详细的API端点和事件类型，请参阅references/api-reference.md。

部署说明： 审计日志配置因部署类型而异。详情请查看部署兼容性。

Jobs to Be Done

待完成任务

Enable or disable security audit logging on a cluster
Select which security events to record (authentication, access, config changes)
Create filter policies to reduce audit log noise
Query audit logs for failed authentication attempts
Investigate unauthorized access or privilege escalation incidents
Set up compliance-focused audit configuration
Detect brute-force login patterns from audit data
Configure audit output to an index for programmatic querying

在集群上启用或禁用安全审计日志
选择要记录的安全事件类型（认证、访问、配置变更）
创建过滤策略以减少审计日志冗余
查询审计日志中的失败认证尝试记录
调查未授权访问或权限提升事件
设置符合合规要求的审计配置
从审计数据中检测暴力登录模式
将审计输出配置到索引以支持程序化查询

Prerequisites

前提条件

Item	Description
Elasticsearch URL	Cluster endpoint (e.g. `https://localhost:9200` or a Cloud deployment URL)
Authentication	Valid credentials (see the elasticsearch-authn skill)
Cluster privileges	`manage` cluster privilege to update cluster settings
License	Audit logging requires a gold, platinum, enterprise, or trial license

Prompt the user for any missing values.

项	描述
Elasticsearch URL	集群端点（例如 `https://localhost:9200` 或云部署URL）
认证信息	有效的凭证（请查看elasticsearch-authn技能）
集群权限	更新集群设置所需的 `manage` 集群权限
许可证	审计日志功能需要gold、platinum、enterprise或试用版许可证

若有缺失的信息，请提示用户提供。

Enable Audit Logging

启用审计日志

Enable audit logging dynamically without a restart:

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true
    }
  }'

To disable, set

xpack.security.audit.enabled

false

. Verify current state:

bash

curl "${ELASTICSEARCH_URL}/_cluster/settings?include_defaults=true&flat_settings=true" \
  <auth_flags> | jq '.defaults | with_entries(select(.key | startswith("xpack.security.audit")))'

无需重启即可动态启用审计日志：

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true
    }
  }'

要禁用审计日志，将

xpack.security.audit.enabled

设置为

false

。验证当前状态：

bash

curl "${ELASTICSEARCH_URL}/_cluster/settings?include_defaults=true&flat_settings=true" \
  <auth_flags> | jq '.defaults | with_entries(select(.key | startswith("xpack.security.audit")))'

Audit Output

审计输出

Audit events can be written to two outputs. Both can be active simultaneously.

Output	Setting value	Description
logfile	`logfile`	Written to `<ES_HOME>/logs/<cluster>_audit.json` . Default.
index	`index`	Written to `.security-audit-*` indices. Queryable via the API.

审计事件可以输出到两个目标，两者可同时启用。

输出目标	设置值	描述
logfile	`logfile`	写入到 `<ES_HOME>/logs/<cluster>_audit.json` 。默认选项。
index	`index`	写入到 `.security-audit-*` 索引。可通过API进行查询。

Configure output via API

通过API配置输出目标

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true,
      "xpack.security.audit.outputs": ["index", "logfile"]
    }
  }'

The

index

output is required for programmatic querying of audit events. The

logfile

output is useful for shipping to external SIEM tools via Filebeat.

Note: On self-managed clusters,
xpack.security.audit.outputs
may require a static setting in
elasticsearch.yml
on older versions (pre-8.x). On 8.x+, prefer the cluster settings API.

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true,
      "xpack.security.audit.outputs": ["index", "logfile"]
    }
  }'

若要对审计事件进行程序化查询，需要启用

index

输出目标。

logfile

输出目标适合通过Filebeat将日志发送到外部SIEM工具。

注意： 在自托管集群中，旧版本（8.x之前）的
xpack.security.audit.outputs
可能需要在
elasticsearch.yml
中设置静态配置。8.x及以上版本，建议使用集群设置API。

Select Events to Record

选择要记录的事件

Control which event types are included or excluded. By default, all events are recorded when audit is enabled.

控制要包含或排除的事件类型。默认情况下，启用审计日志后会记录所有事件。

Include specific events only

仅记录特定事件

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.include": [
        "authentication_failed",
        "access_denied",
        "access_granted",
        "anonymous_access_denied",
        "tampered_request",
        "run_as_denied",
        "connection_denied"
      ]
    }
  }'

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.include": [
        "authentication_failed",
        "access_denied",
        "access_granted",
        "anonymous_access_denied",
        "tampered_request",
        "run_as_denied",
        "connection_denied"
      ]
    }
  }'

Exclude noisy events

排除冗余事件

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.exclude": [
        "access_granted"
      ]
    }
  }'

Excluding

access_granted

significantly reduces log volume on busy clusters — use this when only failures matter.

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.exclude": [
        "access_granted"
      ]
    }
  }'

在繁忙的集群中，排除

access_granted

事件可显著减少日志量——仅关注失败事件时可使用此配置。

Event types reference

事件类型参考

Event	Fires when
`authentication_failed`	Credentials were rejected
`authentication_success`	User authenticated successfully
`access_granted`	An authorized action was performed
`access_denied`	An action was denied due to insufficient privileges
`anonymous_access_denied`	An unauthenticated request was rejected
`tampered_request`	A request was detected as tampered with
`connection_granted`	A node joined the cluster (transport layer)
`connection_denied`	A node connection was rejected
`run_as_granted`	A run-as impersonation was authorized
`run_as_denied`	A run-as impersonation was denied
`security_config_change`	A security setting was changed (role, user, API key, etc.)

See references/api-reference.md for the complete event type list with field details.

事件类型	触发场景
`authentication_failed`	凭证被拒绝时
`authentication_success`	用户认证成功时
`access_granted`	执行授权操作时
`access_denied`	因权限不足导致操作被拒绝时
`anonymous_access_denied`	未认证请求被拒绝时
`tampered_request`	检测到请求被篡改时
`connection_granted`	节点加入集群时（传输层）
`connection_denied`	节点连接被拒绝时
`run_as_granted`	模拟身份（run-as）操作被授权时
`run_as_denied`	模拟身份（run-as）操作被拒绝时
`security_config_change`	安全设置被修改时（角色、用户、API密钥等）

有关包含字段详情的完整事件类型列表，请参阅references/api-reference.md。

Filter Policies

过滤策略

Filter policies let you suppress specific audit events by user, realm, role, or index without disabling the event type globally. Multiple policies can be active — an event is logged only if no policy filters it out.

过滤策略允许你按用户、领域、角色或索引来抑制特定审计事件，而无需全局禁用事件类型。可同时启用多个策略——仅当没有任何策略过滤掉事件时，才会记录该事件。

Ignore system and internal users

忽略系统和内部用户

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters": {
        "system_users": {
          "users": ["_xpack_security", "_xpack", "elastic/fleet-server"],
          "realms": ["_service_account"]
        }
      }
    }
  }'

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters": {
        "system_users": {
          "users": ["_xpack_security", "_xpack", "elastic/fleet-server"],
          "realms": ["_service_account"]
        }
      }
    }
  }'

Ignore health-check traffic on specific indices

忽略特定索引上的健康检查流量

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters": {
        "health_checks": {
          "users": ["monitoring-user"],
          "indices": [".monitoring-*"]
        }
      }
    }
  }'

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters": {
        "health_checks": {
          "users": ["monitoring-user"],
          "indices": [".monitoring-*"]
        }
      }
    }
  }'

Filter policy fields

过滤策略字段

Field	Type	Description
`users`	array[string]	Usernames to exclude (supports wildcards)
`realms`	array[string]	Realm names to exclude
`roles`	array[string]	Role names to exclude
`indices`	array[string]	Index names or patterns to exclude (supports `*` )
`actions`	array[string]	Action names to exclude (e.g. `indices:data/read/*` )

An event is filtered out if it matches all specified fields within a single policy.

字段	类型	描述
`users`	array[string]	要排除的用户名（支持通配符）
`realms`	array[string]	要排除的领域名称
`roles`	array[string]	要排除的角色名称
`indices`	array[string]	要排除的索引名称或模式（支持 `*` ）
`actions`	array[string]	要排除的操作名称（例如 `indices:data/read/*` ）

如果事件与单个策略中的所有指定字段匹配，则会被过滤掉。

Remove a filter policy

删除过滤策略

Set the policy to

null

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters.health_checks": null
    }
  }'

将策略设置为

null

即可删除：

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.logfile.events.ignore_filters.health_checks": null
    }
  }'

Query Audit Events

查询审计事件

When the

index

output is enabled, audit events are stored in

.security-audit-*

indices and can be queried.

启用

index

输出目标后，审计事件会存储在

.security-audit-*

索引中，可进行查询。

Search for failed authentication attempts

搜索失败的认证尝试

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "authentication_failed" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 50
  }'

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "authentication_failed" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 50
  }'

Search for access denied events on a specific index

搜索特定索引上的访问拒绝事件

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "access_denied" } },
          { "term": { "indices": "logs-*" } },
          { "range": { "@timestamp": { "gte": "now-7d" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 20
  }'

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "access_denied" } },
          { "term": { "indices": "logs-*" } },
          { "range": { "@timestamp": { "gte": "now-7d" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 20
  }'

Search for security configuration changes

搜索安全配置变更

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "security_config_change" } },
          { "range": { "@timestamp": { "gte": "now-7d" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 50
  }'

This captures role creation/deletion, user changes, API key operations, and role mapping updates.

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "event.action": "security_config_change" } },
          { "range": { "@timestamp": { "gte": "now-7d" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 50
  }'

此查询会捕获角色的创建/删除、用户变更、API密钥操作以及角色映射更新。

Count events by type and detect brute-force patterns

按事件类型统计并检测暴力破解模式

Use

terms

aggregations on

event.action

(with

size: 0

) to count events by type over a time window. To detect brute-force attempts, aggregate

authentication_failed

events by

source.ip

with

min_doc_count: 5

. See references/api-reference.md for full aggregation query examples.

使用

terms

聚合对

event.action

进行统计（设置

size: 0

），以按时间窗口统计各类型事件的数量。要检测暴力破解尝试，可按

source.ip

对

authentication_failed

事件进行聚合，并设置

min_doc_count: 5

。有关完整的聚合查询示例，请参阅references/api-reference.md。

Correlate with Kibana Audit Logs

与Kibana审计日志关联

Kibana has its own audit log covering application-layer events that Elasticsearch does not see (saved object CRUD, Kibana logins, space operations). When a user performs an action in Kibana, Kibana makes requests to Elasticsearch on the user's behalf. Both systems record the same

trace.id

(passed via the

X-Opaque-Id

header), which serves as the primary correlation key.

Prerequisite: Kibana audit must be enabled separately in
kibana.yml
. See the kibana-audit skill for setup instructions, event types, and Kibana-specific filter policies.

Kibana拥有独立的审计日志，涵盖Elasticsearch无法感知的应用层事件（已保存对象的增删改查、Kibana登录、空间操作）。当用户在Kibana中执行操作时，Kibana会代表用户向Elasticsearch发送请求。两个系统都会记录相同的

trace.id

（通过

X-Opaque-Id

头传递），这是主要的关联键。

前提条件： 必须在
kibana.yml
中单独启用Kibana审计。有关设置说明、事件类型和Kibana特定过滤策略，请查看kibana-audit技能。

Find ES audit events triggered by a Kibana action

查找由Kibana操作触发的Elasticsearch审计事件

Given a

trace.id

from a Kibana audit event, search the ES audit index to see the underlying Elasticsearch operations:

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

已知Kibana审计事件中的

trace.id

，搜索Elasticsearch审计索引以查看底层的Elasticsearch操作：

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "trace.id": "'"${TRACE_ID}"'" } },
          { "range": { "@timestamp": { "gte": "now-24h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

Correlate by user and time window

按用户和时间窗口关联

When

trace.id

is unavailable (e.g. direct API calls), fall back to user + time-window correlation:

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "user.name": "'"${USERNAME}"'" } },
          { "range": { "@timestamp": { "gte": "now-5m" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

Secondary correlation fields:

user.name

source.ip

, and

@timestamp

当

trace.id

不可用时（例如直接API调用），可退而求其次，使用用户+时间窗口进行关联：

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "term": { "user.name": "'"${USERNAME}"'" } },
          { "range": { "@timestamp": { "gte": "now-5m" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "asc" } }]
  }'

次要关联字段：

user.name

、

source.ip

和

@timestamp

。

Unified querying

统一查询

Ship Kibana audit logs to Elasticsearch via Filebeat (see kibana-audit for the Filebeat config) so that both

.security-audit-*

(ES) and

kibana-audit-*

(Kibana) indices can be searched together in a single multi-index query filtered by

trace.id

通过Filebeat将Kibana审计日志发送到Elasticsearch（有关Filebeat配置，请查看kibana-audit），这样就可以在单个多索引查询中同时搜索

.security-audit-*

（Elasticsearch）和

kibana-audit-*

（Kibana）索引，并通过

trace.id

进行过滤。

Examples

示例

Enable audit logging for compliance

为合规性启用审计日志

Request: "Enable audit logging and record all failed access and authentication events."

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true,
      "xpack.security.audit.logfile.events.include": [
        "authentication_failed",
        "access_denied",
        "anonymous_access_denied",
        "run_as_denied",
        "connection_denied",
        "tampered_request",
        "security_config_change"
      ]
    }
  }'

This captures all denial and security change events while excluding high-volume success events.

需求： "启用审计日志并记录所有访问和认证失败事件。"

bash

curl -X PUT "${ELASTICSEARCH_URL}/_cluster/settings" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "persistent": {
      "xpack.security.audit.enabled": true,
      "xpack.security.audit.logfile.events.include": [
        "authentication_failed",
        "access_denied",
        "anonymous_access_denied",
        "run_as_denied",
        "connection_denied",
        "tampered_request",
        "security_config_change"
      ]
    }
  }'

此配置会捕获所有拒绝事件和安全变更事件，同时排除高容量的成功事件。

Investigate a suspected unauthorized access attempt

调查疑似未授权访问尝试

Request: "Someone may have tried to access the

secrets-*

index. Check the audit logs."

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "terms": { "event.action": ["access_denied", "authentication_failed"] } },
          { "wildcard": { "indices": "secrets-*" } },
          { "range": { "@timestamp": { "gte": "now-48h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 100
  }'

Review

user.name

source.ip

, and

event.action

in the results to identify the actor and pattern.

需求： "有人可能试图访问

secrets-*

索引。检查审计日志。"

bash

curl -X POST "${ELASTICSEARCH_URL}/.security-audit-*/_search" \
  <auth_flags> \
  -H "Content-Type: application/json" \
  -d '{
    "query": {
      "bool": {
        "filter": [
          { "terms": { "event.action": ["access_denied", "authentication_failed"] } },
          { "wildcard": { "indices": "secrets-*" } },
          { "range": { "@timestamp": { "gte": "now-48h" } } }
        ]
      }
    },
    "sort": [{ "@timestamp": { "order": "desc" } }],
    "size": 100
  }'

查看结果中的

user.name

、

source.ip

和

event.action

以识别操作者和操作模式。

Reduce audit noise on a busy cluster

减少繁忙集群的审计日志冗余

Request: "Audit logs are too large. Filter out monitoring traffic and successful reads."

Exclude

access_granted

from event types, then add a filter policy for monitoring users and indices. See Filter Policies for the full syntax.

需求： "审计日志太大。过滤掉监控流量和成功的读取操作。"

从事件类型中排除

access_granted

，然后添加针对监控用户和索引的过滤策略。完整语法请查看过滤策略。

Guidelines

指南

Prefer index output for programmatic access

优先使用index输出目标以支持程序化访问

Enable the

index

output to make audit events queryable. The

logfile

output is better for shipping to external SIEM tools via Filebeat but cannot be queried through the Elasticsearch API.

启用

index

输出目标，使审计事件可被查询。

logfile

输出目标更适合通过Filebeat发送到外部SIEM工具，但无法通过Elasticsearch API进行查询。

Start restrictive, then widen

从严格配置开始，再逐步放宽

Begin with failure events only (

authentication_failed

access_denied

security_config_change

). Add success events only when needed — they generate high volume.

先仅记录失败事件（

authentication_failed

、

access_denied

、

security_config_change

）。仅在需要时才添加成功事件——这些事件会产生大量日志。

Use filter policies instead of disabling events

使用过滤策略而非禁用事件类型

Suppress specific users or indices with filter policies rather than excluding entire event types.

使用过滤策略来抑制特定用户或索引的日志，而不是排除整个事件类型。

Monitor audit index size

监控审计索引大小

Set up an ILM policy to roll over and delete old

.security-audit-*

indices. A 30-90 day retention is typical.

设置ILM策略以滚动更新并删除旧的

.security-audit-*

索引。通常保留30-90天的日志。

Enable Kibana audit for full coverage

启用Kibana审计以实现全面覆盖

For application-layer events (saved object access, Kibana logins, space operations), enable Kibana audit logging as well. See the kibana-audit skill for setup. Use

trace.id

to correlate — see Correlate with Kibana Audit Logs above.

对于应用层事件（已保存对象访问、Kibana登录、空间操作），还需启用Kibana审计日志。有关设置，请查看kibana-audit技能。使用

trace.id

进行关联——请参阅上文与Kibana审计日志关联。

Avoid superuser credentials

避免使用超级用户凭证

Use a dedicated admin user or API key with

manage

privileges. Reserve

elastic

for emergency recovery only.

使用具有

manage

权限的专用管理员用户或API密钥。仅在紧急恢复时使用

elastic

用户。

Deployment Compatibility

部署兼容性

Capability	Self-managed	ECH	Serverless
ES audit via cluster settings	Yes	Yes	Not available
ES logfile output	Yes	Via Cloud UI	Not available
ES index output	Yes	Yes	Not available
Filter policies via cluster settings	Yes	Yes	Not available
Query `.security-audit-*`	Yes	Yes	Not available

ECH notes: ES audit is configured via the cluster settings API. Logfile output is accessible through the Cloud console deployment logs. Index output works the same as self-managed.

Serverless notes:

Audit logging is not user-configurable on Serverless. Security events are managed by Elastic as part of the platform.
If a user asks about auditing on Serverless, direct them to the Elastic Cloud console or their account team.

功能	自托管集群	ECH	无服务器版
通过集群设置API配置ES审计	是	是	不可用
ES logfile输出目标	是	通过Cloud UI	不可用
ES index输出目标	是	是	不可用
通过集群设置API配置过滤策略	是	是	不可用
查询 `.security-audit-*` 索引	是	是	不可用

ECH说明： ES审计通过集群设置API进行配置。Logfile输出可通过Cloud控制台的部署日志访问。Index输出的工作方式与自托管集群相同。

无服务器版说明：

无服务器版的审计日志不可由用户配置。安全事件由Elastic作为平台的一部分进行管理。
如果用户询问无服务器版的审计相关问题，请引导他们查看Elastic Cloud控制台或联系其客户团队。