AWS Open Source Blog

Use Open Distro for Elasticsearch to Alert on Security Events

Open Distro for Elasticsearch’s Security plugin ships with the capability to create an audit log to track access to your cluster. You can surface various types of audit events like authentications, and failed logins. In a prior post, we covered the basics of setting an alert in Open Distro for Elasticsearch. In this post, we will couple the security plugin with the Alerting plugin to enable alerts on failed login attempts. You can expand this pattern to get notified whenever there are potentially malicious attempts to access your Elasticsearch cluster.

Set Up Your Monitor

Audit logging is enabled by setting opendistro_security.audit.type: internal_elasticsearch in your elasticsearch.yml file. Our Docker and rpm distributions enable this setting by default.

Open your Kibana dashboard, go to the Alerting tab, and click on Create Monitor. Give the monitor a name and the Schedule of when you want it to run. I named my monitor Audit Unauthorized Access Events, and set it to run Every 1 minute.

first wizard dialog to create a monitor in open distro for elasticsearch, setting the name and schedule

On the same page, scroll down to the Define Monitor section; this is where you define which index you want to monitor and an extraction condition for the data you will use to set a trigger for alerts. Set the index to security-auditlog-*, the destination for the security plugin’s audit logs. Define the monitor condition as WHEN count() OVER all documents FOR THE LAST 5 minute(s). Click on the Create button at the bottom to create your monitor.

second wizard dialog creating a monitor in open distro for elasticsearch, showing the conditions for extracting data

You can also define the monitor using an extraction query. For example, if you just want to monitor Failed Login attempts in the last 5 minutes, then the extraction query might look like:

    "query": {
        "bool": {
            "must": [
                    "match": { 
                        "audit_category": {
                            "query": "FAILED_LOGIN"
                    "range" : {
                        "audit_utc_timestamp" : {
                            "gte" : "now-5m"
    "sort": [{ 
        "audit_utc_timestamp" : {
            "order" : "desc"

Set Up Your Trigger

Next, you need to create a trigger for this monitor. A trigger allows you to perform an action when the trigger’s condition on the monitor is met. I’ll create a trigger which sends an alert when my monitor query returns one or more results. Set the Trigger name to Unauthorized Access Events on ES Cluster, Severity level to 1, and Trigger condition to Above 1:

wizard dialog for creating a monitor trigger in open distro for elasticsearch, setting the trigger name, severity, and threshold value

Scroll down and add an action for this trigger. I’ve configured an Amazon Chime room notification. Set the Action name to Notify OnCall, the Destination name to Chime, the Message subject to Unauthorized Access Events on ES Cluster, and add a descriptive Message. I copied my message from our documentation:

wizard for setting the actions to perform when an open distro for elasticsearch monitor trigger fires. Setting the destination, message subject, and message template

This is how the monitor dashboard looks once everything is created:

A completed monitor in open distro for elasticsearch, showing the status section

A completed monitor in open distro for elasticsearch, showing the triggering and alerting history

The green bar shows that there were no triggers in the recent past. You can create a trigger and alert by logging out from Kibana and using bad credentials to create a failed login attempt. Log back in again (with your real credentials) and you’ll see something like this (note the red in the bar at the corresponding timestamp:

Monitor history in open distro for elasticsearch with two periods where the trigger has fired and open distro has sent alerts

You will also get an “Unauthorized Access Event” notification like this:

Alert message received when open distro for elasticsearch's trigger sends an alert


In this post, we explored alerting on failed logins. The Security plugin supports many more auditing categories. You can write complex extraction queries to alert on specific use cases such as repeated attempts to access a particular index.

You can also configure the data audit that logging generates by enabling/disabling certain categories in your elasticsearch.yml. You can find the list of those settings in Audit Logs – Open Distro for Elasticsearch Documentation.

Audit logging is useful in maintaining compliance and in the aftermath of a security breach. When used with Alerting, it can help you proactively defend your cluster.

Have an issue or question? Want to contribute? You can get help and discuss Open Distro for Elasticsearch on our forums. You can file issues here.

Shivang Doshi

Shivang Doshi

Shivang Doshi is a Software Development Engineer at Amazon Web Services based in Palo Alto, CA. Shivang works closely with Product Managers to develop new features for AWS Elasticsearch Service to provide more secure clusters for our customers. Shivang holds a Bachelor's Degree in Information Technology from University of Mumbai and a Masters in Software Engineer from San Jose State University.