When OpenSearch Audit Logging is enabled in NSP, the system begins capturing and recording security-relevant events generated within the OpenSearch cluster.

These audit logs provide detailed visibility into user actions, system access, and security-related operations, helping to ensure accountability, compliance, and traceability across the platform.

This feature captures REST API requests, Transport layer activities, and compliance activities, including

• Index creation, deletion, and update when logging is enabled for these operations

• Authentication success or failure

• Authorization failure

• Missing privileges

• SSL and certificate errors

• Other errors in audit.yml

OpenSearch audit logging is disabled by default.

Audit logs are created daily and have the index format security-audit-logs-yyyy.MM.dd

• Audit events are indexed in OpenSearch under security-audit-*.

• Indexing happens only when nsp.modules.logging.opensearchSecurityAuditLogs.enabled: true.

• Retention is controlled by retentionPeriodInDaysOverride

• Retention lifecycle is enforced by the ISM policy AuditLogCleanUpPolicy.

• In OpenSearch Dashboards, view audit logs in Discover using data view security-audit-*.

where yyyy.MM.dd is the year, month, and day

The logs are mapped to /usr/share/opensearch/plugins/opensearch-security/securityconfig/audit.yml.

The audit logs are retained according to the setting in the NSP configuration file.