This skill helps you enable and configure Elasticsearch's security audit logging through the cluster settings API. You'll use it when you need to track authentication failures, investigate unauthorized access attempts, or set up compliance logging. It covers the full workflow: turning audit on or off, choosing which events to record (like failed logins versus every granted request), setting up filter policies to ignore noisy system users, and switching between file or index outputs so you can query events programmatically. The filtering is genuinely useful since audit logs on busy clusters get massive fast if you're logging every access_granted event. Requires a gold license or higher.
npx skills add https://github.com/elastic/agent-skills --skill elasticsearch-audit