diff --git a/deploy-manage/deploy/deployment-comparison.md b/deploy-manage/deploy/deployment-comparison.md index 4c71a81591..da68b528a8 100644 --- a/deploy-manage/deploy/deployment-comparison.md +++ b/deploy-manage/deploy/deployment-comparison.md @@ -12,7 +12,7 @@ For more details about feature availability in Serverless, check [](elastic-clou | [Security configurations](/deploy-manage/security.md) | Full control | Limited control | Limited control | | [Authentication realms](/deploy-manage/users-roles.md) | Available | Available | Available, through Elastic Cloud only | | [Custom roles](/deploy-manage/users-roles.md) | Available | Available | Available | -| [Audit logging](/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md) | Available | Available | No | +| [Audit logging](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) | Available | Available | No | ## Infrastructure and cluster management diff --git a/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md b/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md index 7b1e195490..93e7d5f1ab 100644 --- a/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md +++ b/deploy-manage/monitor/stack-monitoring/collecting-log-data-with-filebeat.md @@ -27,7 +27,7 @@ If you’re using {{agent}}, do not deploy {{filebeat}} for log collection. Inst 2. Identify which logs you want to monitor. - The {{filebeat}} {{es}} module can handle [audit logs](../logging-configuration/logfile-audit-output.md), [deprecation logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md#deprecation-logging), [gc logs](elasticsearch://reference/elasticsearch/jvm-settings.md#gc-logging), [server logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md), and [slow logs](elasticsearch://reference/elasticsearch/index-settings/slow-log.md). For more information about the location of your {{es}} logs, see the [path.logs](../../deploy/self-managed/important-settings-configuration.md#path-settings) setting. + The {{filebeat}} {{es}} module can handle [audit logs](../../security/logging-configuration/logfile-audit-output.md), [deprecation logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md#deprecation-logging), [gc logs](elasticsearch://reference/elasticsearch/jvm-settings.md#gc-logging), [server logs](../logging-configuration/elasticsearch-log4j-configuration-self-managed.md), and [slow logs](elasticsearch://reference/elasticsearch/index-settings/slow-log.md). For more information about the location of your {{es}} logs, see the [path.logs](../../deploy/self-managed/important-settings-configuration.md#path-settings) setting. ::::{important} If there are both structured (`*.json`) and unstructured (plain text) versions of the logs, you must use the structured logs. Otherwise, they might not appear in the appropriate context in {{kib}}. diff --git a/deploy-manage/monitor/stack-monitoring/ece-stack-monitoring.md b/deploy-manage/monitor/stack-monitoring/ece-stack-monitoring.md index 247ce65afe..af3d682d76 100644 --- a/deploy-manage/monitor/stack-monitoring/ece-stack-monitoring.md +++ b/deploy-manage/monitor/stack-monitoring/ece-stack-monitoring.md @@ -181,7 +181,7 @@ When shipping logs to a monitoring deployment there are more logging features av #### For {{es}}: [ece-extra-logging-features-elasticsearch] -* [Audit logging](../logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment * [Slow query and index logging](elasticsearch://reference/elasticsearch/index-settings/slow-log.md) - helps find and debug slow queries and indexing * Verbose logging - helps debug stack issues by increasing component logs @@ -190,7 +190,7 @@ After you’ve enabled log delivery on your deployment, you can [add the Elastic #### For Kibana: [ece-extra-logging-features-kibana] -* [Audit logging](../logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment After you’ve enabled log delivery on your deployment, you can [add the Kibana user settings](../../deploy/cloud-enterprise/edit-stack-settings.md) to enable this feature. diff --git a/deploy-manage/security.md b/deploy-manage/security.md index bd2461a95c..bd7f9293e4 100644 --- a/deploy-manage/security.md +++ b/deploy-manage/security.md @@ -121,6 +121,7 @@ There is no orchestration layer for self-managed deployments because you directl - [**Traffic filtering**](security/traffic-filtering.md): IP filtering, private links, and static IPs - [**Secure communications**](security/secure-cluster-communications.md): TLS configuration, certificates management - [**Data protection**](security/data-security.md): Encryption at rest, secure settings, saved objects +- [**Security event audit logging**](security/logging-configuration/security-event-audit-logging.md): {{es}} and {{kib}} audit logs - [**Session management**](security/kibana-session-management.md): Kibana session controls - [**FIPS 140-2 compliance**](security/fips-140-2.md): Federal security standards diff --git a/deploy-manage/monitor/logging-configuration/auditing-search-queries.md b/deploy-manage/security/logging-configuration/auditing-search-queries.md similarity index 100% rename from deploy-manage/monitor/logging-configuration/auditing-search-queries.md rename to deploy-manage/security/logging-configuration/auditing-search-queries.md diff --git a/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md b/deploy-manage/security/logging-configuration/configuring-audit-logs.md similarity index 96% rename from deploy-manage/monitor/logging-configuration/configuring-audit-logs.md rename to deploy-manage/security/logging-configuration/configuring-audit-logs.md index d4e13dfe5b..4286c13bb8 100644 --- a/deploy-manage/monitor/logging-configuration/configuring-audit-logs.md +++ b/deploy-manage/security/logging-configuration/configuring-audit-logs.md @@ -26,7 +26,7 @@ When auditing security events, a single client request might generate multiple a For a complete description of event details and format, refer to the following resources: * [{{es}} audit events details and schema](elasticsearch://reference/elasticsearch/elasticsearch-audit-events.md) - * [{{es}} log entry output format](/deploy-manage/monitor/logging-configuration/logfile-audit-output.md#audit-log-entry-format) + * [{{es}} log entry output format](./logfile-audit-output.md#audit-log-entry-format) ### Kibana auditing configuration diff --git a/deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md b/deploy-manage/security/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md similarity index 100% rename from deploy-manage/monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md rename to deploy-manage/security/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md diff --git a/deploy-manage/monitor/logging-configuration/enabling-audit-logs.md b/deploy-manage/security/logging-configuration/enabling-audit-logs.md similarity index 98% rename from deploy-manage/monitor/logging-configuration/enabling-audit-logs.md rename to deploy-manage/security/logging-configuration/enabling-audit-logs.md index 31e889c6ea..4eeb50af32 100644 --- a/deploy-manage/monitor/logging-configuration/enabling-audit-logs.md +++ b/deploy-manage/security/logging-configuration/enabling-audit-logs.md @@ -25,10 +25,10 @@ You can log security-related events such as authentication failures and refused This section describes how to enable and configure audit logging in both {{es}} and {{kib}} for all supported deployment types, including self-managed clusters, {{ech}}, {{ece}} (ECE), and {{eck}} (ECK). ::::{important} -In orchestrated deployments, audit logs must be shipped to a monitoring deployment; otherwise, they remain at container level and won't be accessible to users. For details on configuring log forwarding in orchestrated environments, refer to [logging configuration](../logging-configuration.md). +In orchestrated deployments, audit logs must be shipped to a monitoring deployment; otherwise, they remain at container level and won't be accessible to users. For details on configuring log forwarding in orchestrated environments, refer to [logging configuration](/deploy-manage/monitor/logging-configuration.md). :::: -When audit logging is enabled, security events are persisted to a dedicated `_audit.json` file on the host’s file system, on every cluster node. For more information, refer to [{{es}} logfile audit output](logfile-audit-output.md). +When audit logging is enabled, security events are persisted to a dedicated `_audit.json` file on the host’s file system, on every cluster node. For more information, refer to [{{es}} logfile audit output](./logfile-audit-output.md). ## Enable audit logging [enable-audit-logging-procedure] diff --git a/deploy-manage/monitor/logging-configuration/logfile-audit-events-ignore-policies.md b/deploy-manage/security/logging-configuration/logfile-audit-events-ignore-policies.md similarity index 100% rename from deploy-manage/monitor/logging-configuration/logfile-audit-events-ignore-policies.md rename to deploy-manage/security/logging-configuration/logfile-audit-events-ignore-policies.md diff --git a/deploy-manage/monitor/logging-configuration/logfile-audit-output.md b/deploy-manage/security/logging-configuration/logfile-audit-output.md similarity index 95% rename from deploy-manage/monitor/logging-configuration/logfile-audit-output.md rename to deploy-manage/security/logging-configuration/logfile-audit-output.md index 87e56c79b2..f7c8b6346b 100644 --- a/deploy-manage/monitor/logging-configuration/logfile-audit-output.md +++ b/deploy-manage/security/logging-configuration/logfile-audit-output.md @@ -31,6 +31,6 @@ The audit events are formatted as JSON documents, and each event is printed on a There are however a few attributes that are exceptions to the above format. The `put`, `delete`, `change`, `create` and `invalidate` attributes, which are only present for events with the `event.type: "security_config_change"` attribute, contain the **nested JSON** representation of the security change taking effect. The contents of the security config change are hence not displayed as top-level dot-named fields in the audit event document. That’s because the fields are specific to the particular kind of security change and do not show up in any other audit events. The benefits of a columnar format are therefore much more limited; the space-saving benefits of the nested structure is the favoured trade-off in this case. -When the `request.body` attribute is present (see [Auditing search queries](auditing-search-queries.md)), it contains a string value containing the full HTTP request body, escaped as per the JSON RFC 4677. +When the `request.body` attribute is present (see [Auditing search queries](./auditing-search-queries.md)), it contains a string value containing the full HTTP request body, escaped as per the JSON RFC 4677. Refer to [audit event types](elasticsearch://reference/elasticsearch/elasticsearch-audit-events.md) for a complete list of fields, as well as examples, for each entry type. diff --git a/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md b/deploy-manage/security/logging-configuration/security-event-audit-logging.md similarity index 100% rename from deploy-manage/monitor/logging-configuration/security-event-audit-logging.md rename to deploy-manage/security/logging-configuration/security-event-audit-logging.md diff --git a/deploy-manage/toc.yml b/deploy-manage/toc.yml index 98a947623b..a54e7f7b73 100644 --- a/deploy-manage/toc.yml +++ b/deploy-manage/toc.yml @@ -522,6 +522,15 @@ toc: - file: security/enabling-cipher-suites-for-stronger-encryption.md - file: security/secure-settings.md - file: security/secure-saved-objects.md + - file: security/logging-configuration/security-event-audit-logging.md + children: + - file: security/logging-configuration/enabling-audit-logs.md + - file: security/logging-configuration/configuring-audit-logs.md + children: + - file: security/logging-configuration/logfile-audit-events-ignore-policies.md + - file: security/logging-configuration/logfile-audit-output.md + - file: security/logging-configuration/auditing-search-queries.md + - file: security/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md - file: security/kibana-session-management.md - file: security/fips-140-2.md - file: security/secure-clients-integrations.md @@ -742,15 +751,6 @@ toc: children: - file: monitor/logging-configuration/kibana-log-settings-examples.md - file: monitor/logging-configuration/kibana-logging-cli-configuration.md - - file: monitor/logging-configuration/security-event-audit-logging.md - children: - - file: monitor/logging-configuration/enabling-audit-logs.md - - file: monitor/logging-configuration/configuring-audit-logs.md - children: - - file: monitor/logging-configuration/logfile-audit-events-ignore-policies.md - - file: monitor/logging-configuration/logfile-audit-output.md - - file: monitor/logging-configuration/auditing-search-queries.md - - file: monitor/logging-configuration/correlating-kibana-elasticsearch-audit-logs.md - file: cloud-organization.md children: - file: cloud-organization/billing.md diff --git a/deploy-manage/upgrade.md b/deploy-manage/upgrade.md index c871b26ecd..fb72a19bd1 100644 --- a/deploy-manage/upgrade.md +++ b/deploy-manage/upgrade.md @@ -48,7 +48,7 @@ It is very important to map all the components that are being used on the {{stac * External services (Kafka, etc.) :::{tip} -When you do your inventory, you can [enable audit logging](/deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) to evaluate resources accessing your deployment. +When you do your inventory, you can [enable audit logging](/deploy-manage/security/logging-configuration/enabling-audit-logs.md) to evaluate resources accessing your deployment. ::: **Test your development environment** diff --git a/deploy-manage/users-roles.md b/deploy-manage/users-roles.md index f1442ed89f..3bac1bef76 100644 --- a/deploy-manage/users-roles.md +++ b/deploy-manage/users-roles.md @@ -22,7 +22,7 @@ Preventing unauthorized access is only one element of a complete security strate * Restrict the nodes and clients that can connect to the cluster using [traffic filters](/deploy-manage/security/traffic-filtering.md). * Take steps to maintain your data integrity and confidentiality by [encrypting HTTP and inter-node communications](/deploy-manage/security/secure-cluster-communications.md), as well as [encrypting your data at rest](/deploy-manage/security/encrypt-deployment.md). -* Maintain an [audit trail](/deploy-manage/monitor/logging-configuration/security-event-audit-logging.md) for security-related events. +* Maintain an [audit trail](/deploy-manage/security/logging-configuration/security-event-audit-logging.md) for security-related events. * Control access to dashboards and other saved objects in your UI using [{{kib}} spaces](/deploy-manage/manage-spaces.md). * Connect your cluster to a [remote cluster](/deploy-manage/remote-clusters.md) to enable cross-cluster replication and search. * Manage [API keys](/deploy-manage/api-keys.md) used for programmatic access to Elastic. diff --git a/deploy-manage/users-roles/cluster-or-deployment-auth/internal-users.md b/deploy-manage/users-roles/cluster-or-deployment-auth/internal-users.md index 36f2d2ee70..dd9ce8c007 100644 --- a/deploy-manage/users-roles/cluster-or-deployment-auth/internal-users.md +++ b/deploy-manage/users-roles/cluster-or-deployment-auth/internal-users.md @@ -20,5 +20,5 @@ The {{stack-security-features}} use eight *internal* users (`_system`, `_xpack`, These users are only used by requests that originate from within the cluster. For this reason, they cannot be used to authenticate against the API and there is no password to manage or reset. -From time-to-time you may find a reference to one of these users inside your logs, including [audit logs](../../monitor/logging-configuration/enabling-audit-logs.md). +From time-to-time you may find a reference to one of these users inside your logs, including [audit logs](../../security/logging-configuration/enabling-audit-logs.md). diff --git a/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-nodejs-on-elasticsearch-service.md b/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-nodejs-on-elasticsearch-service.md index a87863a9c3..7c1ed9b29d 100644 --- a/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-nodejs-on-elasticsearch-service.md +++ b/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-nodejs-on-elasticsearch-service.md @@ -292,7 +292,7 @@ const client = new Client({ }) ``` -Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}} or {{ece}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). +Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}} or {{ece}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). ### Best practices [ec_best_practices] diff --git a/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-python-on-elasticsearch-service.md b/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-python-on-elasticsearch-service.md index bf16f2c918..5cfa8bd831 100644 --- a/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-python-on-elasticsearch-service.md +++ b/manage-data/ingest/ingesting-data-from-applications/ingest-data-with-python-on-elasticsearch-service.md @@ -353,7 +353,7 @@ es = Elasticsearch( ) ``` -Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}} or {{ece}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). +Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}} or {{ece}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). For more information on refreshing an index, searching, updating, and deleting, check the [elasticsearch-py examples](elasticsearch-py://reference/examples.md). diff --git a/raw-migrated-files/cloud/cloud-heroku/ech-enable-logging-and-monitoring.md b/raw-migrated-files/cloud/cloud-heroku/ech-enable-logging-and-monitoring.md index 6a8df2a487..d3c48bc78e 100644 --- a/raw-migrated-files/cloud/cloud-heroku/ech-enable-logging-and-monitoring.md +++ b/raw-migrated-files/cloud/cloud-heroku/ech-enable-logging-and-monitoring.md @@ -172,7 +172,7 @@ When shipping logs to a monitoring deployment there are more logging features av #### For {{es}}: [ech-extra-logging-features-elasticsearch] -* [Audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment * [Slow query and index logging](elasticsearch://reference/elasticsearch/index-settings/slow-log.md) - helps find and debug slow queries and indexing * Verbose logging - helps debug stack issues by increasing component logs @@ -181,7 +181,7 @@ After you’ve enabled log delivery on your deployment, you can [add the Elastic #### For Kibana: [ech-extra-logging-features-kibana] -* [Audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment After you’ve enabled log delivery on your deployment, you can [add the Kibana user settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) to enable this feature. diff --git a/raw-migrated-files/cloud/cloud/ec-enable-logging-and-monitoring.md b/raw-migrated-files/cloud/cloud/ec-enable-logging-and-monitoring.md index fb308686a5..1ec417f0d2 100644 --- a/raw-migrated-files/cloud/cloud/ec-enable-logging-and-monitoring.md +++ b/raw-migrated-files/cloud/cloud/ec-enable-logging-and-monitoring.md @@ -172,7 +172,7 @@ When shipping logs to a monitoring deployment there are more logging features av #### For {{es}}: [ec-extra-logging-features-elasticsearch] -* [Audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment * [Slow query and index logging](elasticsearch://reference/elasticsearch/index-settings/slow-log.md) - helps find and debug slow queries and indexing * Verbose logging - helps debug stack issues by increasing component logs @@ -181,7 +181,7 @@ After you’ve enabled log delivery on your deployment, you can [add the Elastic #### For Kibana: [ec-extra-logging-features-kibana] -* [Audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment +* [Audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) - logs security-related events on your deployment After you’ve enabled log delivery on your deployment, you can [add the Kibana user settings](../../../deploy-manage/deploy/elastic-cloud/edit-stack-settings.md) to enable this feature. diff --git a/raw-migrated-files/cloud/cloud/ec-getting-started-node-js.md b/raw-migrated-files/cloud/cloud/ec-getting-started-node-js.md index 528cc9e8a6..af81e68920 100644 --- a/raw-migrated-files/cloud/cloud/ec-getting-started-node-js.md +++ b/raw-migrated-files/cloud/cloud/ec-getting-started-node-js.md @@ -272,7 +272,7 @@ const client = new Client({ }) ``` -Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). +Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). ### Best practices [ec_best_practices] diff --git a/raw-migrated-files/cloud/cloud/ec-getting-started-python.md b/raw-migrated-files/cloud/cloud/ec-getting-started-python.md index 4f6f6967b0..2da1771fcc 100644 --- a/raw-migrated-files/cloud/cloud/ec-getting-started-python.md +++ b/raw-migrated-files/cloud/cloud/ec-getting-started-python.md @@ -333,7 +333,7 @@ es = Elasticsearch( ) ``` -Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). +Check [Create API key API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-security-create-api-key) to learn more about API Keys and [Security privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/elasticsearch-privileges.md) to understand which privileges are needed. If you are not sure what the right combination of privileges for your custom application is, you can enable [audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) on {{es}} to find out what privileges are being used. To learn more about how logging works on {{ech}}, check [Monitoring Elastic Cloud deployment logs and metrics](https://www.elastic.co/blog/monitoring-elastic-cloud-deployment-logs-and-metrics). For more information on refreshing an index, searching, updating, and deleting, check the [elasticsearch-py examples](elasticsearch-py://reference/examples.md). diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md index fd450af95e..bd2e70731e 100644 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md +++ b/raw-migrated-files/elasticsearch/elasticsearch-reference/secure-cluster.md @@ -42,5 +42,5 @@ See [Configure security for the {{stack}}](../../../deploy-manage/security/secur Keeping a system secure takes vigilance. By using {{stack-security-features}} to maintain an audit trail, you can easily see who is accessing your cluster and what they’re doing. You can configure the audit level, which accounts for the type of events that are logged. These events include failed authentication attempts, user access denied, node connection denied, and more. By analyzing access patterns and failed attempts to access your cluster, you can gain insights into attempted attacks and data breaches. Keeping an auditable log of the activity in your cluster can also help diagnose operational issues. -See [Enable audit logging](../../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md). +See [Enable audit logging](../../../deploy-manage/security/logging-configuration/enabling-audit-logs.md). diff --git a/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md b/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md index b175b11e12..df451f0362 100644 --- a/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md +++ b/raw-migrated-files/elasticsearch/elasticsearch-reference/security-files.md @@ -6,7 +6,7 @@ The {{es}} {{security-features}} use the following files: * `ES_PATH_CONF/elasticsearch-users` defines the users and their hashed passwords for the `file` realm. See [File-based user authentication](../../../deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md). * `ES_PATH_CONF/elasticsearch-users_roles` defines the user roles assignment for the `file` realm. See [File-based user authentication](../../../deploy-manage/users-roles/cluster-or-deployment-auth/file-based.md). * `ES_PATH_CONF/role_mapping.yml` defines the role assignments for a Distinguished Name (DN) to a role. This allows for LDAP and Active Directory groups and users and PKI users to be mapped to roles. See [Mapping users and groups to roles](../../../deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles.md). -* `ES_PATH_CONF/log4j2.properties` contains audit information. See [Logfile audit output](../../../deploy-manage/monitor/logging-configuration/logfile-audit-output.md). +* `ES_PATH_CONF/log4j2.properties` contains audit information. See [Logfile audit output](../../../deploy-manage/security/logging-configuration/logfile-audit-output.md). ::::{important} :name: security-files-location diff --git a/redirects.yml b/redirects.yml index 9f65b82505..8fd77cc2c4 100644 --- a/redirects.yml +++ b/redirects.yml @@ -18,7 +18,12 @@ redirects: anchors: 'spaces-control-feature-visibility': 'deploy-manage/deploy/cloud-enterprise/deploy-large-installation-cloud.md': '!deploy-manage/deploy/cloud-enterprise/deploy-large-installation.md' - + ## audit logging movement to security section + 'deploy-manage/monitor/logging-configuration/configuring-audit-logs.md': 'deploy-manage/security/logging-configuration/configuring-audit-logs.md' + 'deploy-manage/monitor/logging-configuration/enabling-audit-logs.md': 'deploy-manage/security/logging-configuration/enabling-audit-logs.md' + 'deploy-manage/monitor/logging-configuration/logfile-audit-events-ignore-policies.md': 'deploy-manage/security/logging-configuration/logfile-audit-events-ignore-policies.md' + 'deploy-manage/monitor/logging-configuration/auditing-search-queries.md': 'deploy-manage/security/logging-configuration/auditing-search-queries.md' + 'deploy-manage/monitor/logging-configuration/logfile-audit-output.md': 'deploy-manage/security/logging-configuration/logfile-audit-output.md' ## explore-analyze 'explore-analyze/machine-learning/nlp/ml-nlp-auto-scale.md': '!deploy-manage/autoscaling/trained-model-autoscaling.md' diff --git a/troubleshoot/elasticsearch/hotspotting.md b/troubleshoot/elasticsearch/hotspotting.md index 50789a00fe..94b70dee7b 100644 --- a/troubleshoot/elasticsearch/hotspotting.md +++ b/troubleshoot/elasticsearch/hotspotting.md @@ -175,5 +175,5 @@ Its response contains a `description` that reports this query: indices[winlogbeat-*,logs-window*], sequence by winlog.computer_name with maxspan=1m\n\n[authentication where host.os.type == "windows" and event.action:"logged-in" and\n event.outcome == "success" and process.name == "svchost.exe" ] by winlog.event_data.TargetLogonId ``` -This lets you know which indices to check (`winlogbeat-*,logs-window*`), as well as the [EQL search](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-search) request body. Most likely this is [SIEM related](/solutions/security.md). You can combine this with [audit logging](../../deploy-manage/monitor/logging-configuration/enabling-audit-logs.md) as needed to trace the request source. +This lets you know which indices to check (`winlogbeat-*,logs-window*`), as well as the [EQL search](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-eql-search) request body. Most likely this is [SIEM related](/solutions/security.md). You can combine this with [audit logging](../../deploy-manage/security/logging-configuration/enabling-audit-logs.md) as needed to trace the request source.