How Do I Enable Audit Logs for an Elasticsearch or OpenSearch Cluster of CSS?

Audit logs are disabled for Elasticsearch clusters by default.

Audit logs can be enabled for security-mode Elasticsearch 7.6.2 clusters as well as security-mode OpenSearch clusters.

1. Log in to the CSS management console.
2. In the navigation pane, choose Clusters. The cluster list is displayed.
3. Click the name of the target cluster to go to the cluster details page.
4. In the navigation pane on the left, choose Parameter Configurations. Click Edit, expand the Customize parameter, and click Add.
   • For an Elasticsearch cluster, set Key to opendistro_security.audit.type and Value to internal_elasticsearch.
   • For an OpenSearch cluster, set Key to plugins.security.audit.type and Value to internal_opensearch.
   Figure 1 Configuring a custom parameter
   
5. After the change is complete, click Submit.In the displayed Submit Configuration dialog box, select the box indicating "I understand that the modification will take effect after the cluster is restarted." and click Yes.

   If the Status is Succeeded in the parameter change list, the change has been saved.

6. Return to the cluster list and choose More > Restart in the Operation column to restart the cluster and make the change take effect.
7. After the cluster is restarted, click Access Kibana in the Operation column. On the displayed page, enter the username and password. The Dev Tools page is displayed.
8. In the Console page, run the GET _cat/indices?v command. If there are indexes related to .*audit*, the audit log function is enabled.