How Do I Enable Audit Logs for a CSS Cluster?

Audit logs can be enabled for security-mode Elasticsearch 7.6.2 clusters as well as security-mode OpenSearch clusters.

Audit logs are disabled for Elasticsearch clusters by default.

1. Log in to the CSS management console.
2. In the navigation pane on the left, expand Clusters. Select a cluster type based on the target cluster. The cluster list is displayed.
3. In the cluster list, click the name of the target cluster. The cluster information page is displayed.
4. Choose Cluster Settings > Parameter Settings.
5. Click Edit, expand Custom, and click Add.
   • For an Elasticsearch cluster, set Key to opendistro_security.audit.type and Value to internal_elasticsearch.
   • For an OpenSearch cluster, set Key to plugins.security.audit.type and Value to internal_opensearch.
6. After the change is complete, click Submit.In the displayed Submit Configuration dialog box, select the box indicating "I understand that the modification will take effect after the cluster is restarted." and click Yes.

   If the Status is Succeeded in the parameter change list, the change has been saved.

7. On the cluster information page, click Restart in the upper-right corner to restart the cluster, thus making the change take effect.
8. After cluster restart, check whether audit logs have been enabled.
   1. For an Elasticsearch cluster, click Kibana in the Operation column to log in to Kibana. For an OpenSearch cluster, click Dashboards in the Operation column to log in to OpenSearch Dashboards.
   2. Expand the menu in the upper-left corner, and choose Dev Tools.
   3. Run the following command. If the result contains indexes whose name contain .*audit*, audit logs have been enabled.

      GET _cat/indices?v