In Elasticsearch, uptil version 6.2 the security audits could be sent to an Elasticsearch index by setting this line in elasticsearch.yml file
xpack.security.audit.outputs: [ index, logfile ]
https://www.elastic.co/guide/en/x-pack/current/auditing.html#audit-log-settings
In version 7.x the audit logs can be only written to clustername_audit.json or console.
My question is how can the audit logs be sent to an ES index version 7.x, just like 6.2? Is there any such option anymore?
Thanks!
Yap, the option to send the audit logs directly to an index is gone... You should install a Filebeat on each of the elasticsearch machines and feed the audit-log into the cluster the same way you should do with the cluster log.
https://www.elastic.co/de/blog/indexing-elasticsearch-audit-logs-with-filebeat