elastic · eedugon · Feb 21, 2025 · Feb 20, 2025 · Feb 21, 2025 · Feb 21, 2025
@@ -11,7 +11,7 @@ applies:
 
 # Audit Elasticsearch search queries [auditing-search-queries]
 
-There is no [audit event type](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
+There is no [audit event type](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events.md) specifically dedicated to search queries. Search queries are analyzed and then processed; the processing triggers authorization actions that are audited. However, the original raw query, as submitted by the client, is not accessible downstream when authorization auditing occurs.
 
 Search queries are contained inside HTTP request bodies, however, and some audit events that are generated by the REST layer, on the coordinating node, can be toggled to output the request body to the audit log. Therefore, one must audit request bodies in order to audit search queries.
 

@@ -24,7 +24,7 @@ When auditing security events, a single client request might generate multiple a
     ::::
 
 For a complete description of event details and format, refer to the following resources:
-  * [{{es}} audit events details and schema](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events)
+  * [{{es}} audit events details and schema](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events.md)
   * [{{es}} log entry output format](/deploy-manage/monitor/logging-configuration/logfile-audit-output.md#audit-log-entry-format)
 
 ### Kibana auditing configuration
@@ -38,7 +38,7 @@ In self-managed systems, you can optionally configure audit logs location, and f
 To configure {{kib}} settings, follow the same [procedure](./enabling-audit-logs.md#enable-audit-logging-procedure) as when enabling {{kib}} audit logs, but apply the relevant settings instead.
 ::::
 
-For a complete description of auditing event details, such as `category`, `type`, or `action`, refer to [{{kib}} audit events](https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html#xpack-security-ecs-audit-logging).
+For a complete description of auditing event details, such as `category`, `type`, or `action`, refer to [{{kib}} audit events](asciidocalypse://docs/kibana/docs/reference/kibana-audit-events.md).
 
 ### General recommendations
 

@@ -126,7 +126,6 @@ spec:
   nodeSets:
   - name: default
     config:
-      # https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html
       xpack.security.audit.enabled: true
 ---
 apiVersion: kibana.k8s.elastic.co/v1
@@ -142,7 +141,6 @@ spec:
       - name: monitoring
         namespace: observability
   config:
-    # https://www.elastic.co/guide/en/kibana/current/xpack-security-audit-logging.html
     xpack.security.audit.enabled: true
 ```
 

@@ -32,4 +32,4 @@ There are however a few attributes that are exceptions to the above format. The
 
 When the `request.body` attribute is present (see [Auditing search queries](auditing-search-queries.md)), it contains a string value containing the full HTTP request body, escaped as per the JSON RFC 4677.
 
-Refer to [audit event types](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) for a complete list of fields, as well as examples, for each entry type.
+Refer to [audit event types](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events.md) for a complete list of fields, as well as examples, for each entry type.
@@ -32,5 +32,5 @@ By following these guidelines, you can effectively audit system activity, enhanc
 
 For a complete description of audit event details and format, refer to:
 
-* [Elasticsearch audit events](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events)
-* [Kibana audit events](asciidocalypse://kibana/docs/reference/kibana-audit-events)
+* [Elasticsearch audit events](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events.md)
+* [Kibana audit events](asciidocalypse://docs/kibana/docs/reference/kibana-audit-events.md)
Original file line number	Diff line number	Diff line change
Expand Up		@@ -32,4 +32,4 @@ There are however a few attributes that are exceptions to the above format. The

		When the `request.body` attribute is present (see [Auditing search queries](auditing-search-queries.md)), it contains a string value containing the full HTTP request body, escaped as per the JSON RFC 4677.

		Refer to [audit event types](asciidocalypse://elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events) for a complete list of fields, as well as examples, for each entry type.
		Refer to [audit event types](asciidocalypse://docs/elasticsearch/docs/reference/elasticsearch/elasticsearch-audit-events.md) for a complete list of fields, as well as examples, for each entry type.