Audit All user actions

We are wondering if we can log all ‘KQL’ for all users with granted permissions to query these indices as we try with the default installation to discover all audit actions
but only the default tracked events are:

  • Failed login
  • Successful login
  • Missing privileges to run a certain request
  • Granted privileges to run a certain request
  • SSL/TLS error when Elasticsearch was contacted but there was no certificate or the provided certificate was incorrect
  • Attempt to alter the configuration of the internal security module without required privileges
  • Attempt to interact with Elasticsearch without security headers

doesn’t contain user successful search queries.


opendistro guys, please answer


Hi @waeshalaby Did you get this working? the docs seems to cover most of what you are looking for