Degradation with audit logs in production after upgrading Elastic OD

Hi,
After upgrading Elasticsearch OpenDistro from 1.9.0 to 1.13.0 some of the data nodes and coordinating nodes in our production cluster don’t write audit logs anymore.

I saw the issue is mostly with the “AUTHENTICATED” audit_category, I see some INDEX_EVENT audit logs but not “AUTHENTICATED”

the logs in the hosts when I’m restarting them saying: “[AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing.”

[2021-05-13T08:47:23,915][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] Auditing on REST API is enabled.
[2021-05-13T08:47:23,915][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from REST API auditing.
[2021-05-13T08:47:23,916][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] Auditing on Transport API is enabled.
[2021-05-13T08:47:23,916][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] [AUTHENTICATED, GRANTED_PRIVILEGES] are excluded from Transport API auditing.
[2021-05-13T08:47:23,916][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] Auditing of request body is enabled.
[2021-05-13T08:47:23,916][INFO ][c.a.o.s.a.i.AuditLogImpl ] [es-od-research-data-117] Bulk requests resolution is disabled during request auditing.

I’ve tried to change these parameters to NONE:

opendistro_security.audit.config.disabled_rest_categories opendistro_security.audit.config.disabled_transport_categories

but it doesn’t help.

Do you know how can I fix this issue?

Thanks!

@moses
Since 1.11 the configuration has been moved to kibana UI

Screenshot 2021-05-17 at 12.22.451288×342 39.2 KB

Hope this helps

helped a lot!
thank you!