diff --git a/molecule/elasticstack_default/converge.yml b/molecule/elasticstack_default/converge.yml
index f05a0686..8f6ebb22 100644
--- a/molecule/elasticstack_default/converge.yml
+++ b/molecule/elasticstack_default/converge.yml
@@ -31,7 +31,7 @@
     - name: Enable Elastic installation on RHEL 9
       ansible.builtin.set_fact:
         elasticstack_rpm_workaround: true
-      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version >= "9"
+      when: ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version | int >= 9
     - name: Include Elastic Repos
       ansible.builtin.include_role:
         name: oddly.elasticstack.repos
diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
index 8c0e1134..1e87774b 100644
--- a/roles/beats/defaults/main.yml
+++ b/roles/beats/defaults/main.yml
@@ -41,6 +41,8 @@ beats_tls_key: "{{ beats_ca_dir }}/{{ inventory_hostname }}-beats.key"
 beats_tls_cert: "{{ beats_ca_dir }}/{{ inventory_hostname }}-beats.crt"
 # @var beats_tls_cacert:description: Path to the CA certificate for TLS verification
 beats_tls_cacert: "{{ beats_ca_dir }}/ca.crt"
+# @var beats_ssl_verification_mode:description: SSL verification mode for Beats output to Elasticsearch (full, certificate, none)
+beats_ssl_verification_mode: certificate
 # @var beats_tls_key_passphrase:description: Passphrase for the Beat TLS private key
 beats_tls_key_passphrase: BeatsChangeMe
 
diff --git a/roles/beats/templates/auditbeat.yml.j2 b/roles/beats/templates/auditbeat.yml.j2
index 21883ba0..be0b1d3c 100644
--- a/roles/beats/templates/auditbeat.yml.j2
+++ b/roles/beats/templates/auditbeat.yml.j2
@@ -43,7 +43,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
diff --git a/roles/beats/templates/filebeat.yml.j2 b/roles/beats/templates/filebeat.yml.j2
index 02d89f8a..d9671134 100644
--- a/roles/beats/templates/filebeat.yml.j2
+++ b/roles/beats/templates/filebeat.yml.j2
@@ -154,7 +154,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
diff --git a/roles/beats/templates/metricbeat.yml.j2 b/roles/beats/templates/metricbeat.yml.j2
index 2b69125b..54df5f3e 100644
--- a/roles/beats/templates/metricbeat.yml.j2
+++ b/roles/beats/templates/metricbeat.yml.j2
@@ -20,7 +20,7 @@ output.elasticsearch:
   username: "elastic"
   password: "{{ beats_writer_password.stdout }}"
   ssl.enabled: true
-  ssl.verification_mode: none
+  ssl.verification_mode: {{ beats_ssl_verification_mode }}
   ssl.certificate_authorities: ["/etc/beats/certs/ca.crt"]
 {% else %}
 {% if elasticstack_full_stack | bool %}
diff --git a/roles/elasticsearch/defaults/main.yml b/roles/elasticsearch/defaults/main.yml
index 72b37fec..b753e575 100644
--- a/roles/elasticsearch/defaults/main.yml
+++ b/roles/elasticsearch/defaults/main.yml
@@ -26,6 +26,8 @@ elasticsearch_logging_json_file: true
 elasticsearch_logging_slowlog: true
 # @var elasticsearch_logging_deprecation:description: Enable deprecation log appender
 elasticsearch_logging_deprecation: true
+# @var elasticsearch_logging_audit:description: Enable security audit log appender. Only meaningful when elasticsearch_security is true
+elasticsearch_logging_audit: true
 
 # @var elasticsearch_security:description: Enable Elasticsearch security features (TLS, authentication, RBAC)
 elasticsearch_security: true
diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
index 0281683b..592a0b92 100644
--- a/roles/elasticsearch/tasks/elasticsearch-security.yml
+++ b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -788,10 +788,15 @@
       ansible.builtin.shell: >
         set -o pipefail;
         /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b >
-        {{ elasticstack_initial_passwords }}
+        {{ elasticstack_initial_passwords }}.tmp &&
+        mv {{ elasticstack_initial_passwords }}.tmp {{ elasticstack_initial_passwords }}
       args:
         executable: /bin/bash
         creates: "{{ elasticstack_initial_passwords }}"
+      register: _setup_passwords_result
+      until: _setup_passwords_result.rc | default(1) == 0
+      retries: 10
+      delay: 15
       when: inventory_hostname == elasticstack_ca_host
       no_log: "{{ elasticstack_no_log }}"
 
diff --git a/roles/elasticsearch/tasks/main.yml b/roles/elasticsearch/tasks/main.yml
index d7b09aa4..afa928c8 100644
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@@ -208,6 +208,7 @@
     - "hostvars[item].inventory_hostname == inventory_hostname"
     - elasticstack_version is defined
     - elasticstack_version != 'latest'
+    - ansible_facts.packages['elasticsearch'] is defined
     - ansible_facts.packages['elasticsearch'][0].version is defined
     - elasticstack_password.stdout is defined
     - elasticstack_version is version( ansible_facts.packages['elasticsearch'][0].version, '>')
diff --git a/roles/elasticsearch/templates/log4j2.properties.j2 b/roles/elasticsearch/templates/log4j2.properties.j2
index 93979236..b56ca7a6 100644
--- a/roles/elasticsearch/templates/log4j2.properties.j2
+++ b/roles/elasticsearch/templates/log4j2.properties.j2
@@ -170,6 +170,7 @@ logger.index_indexing_slowlog.additivity = false
 {% endif %}
 
 ######## Audit Log ############################################################
+{% if elasticsearch_logging_audit | bool and elasticsearch_security | bool %}
 
 appender.audit_rolling.type = RollingFile
 appender.audit_rolling.name = audit_rolling
@@ -203,3 +204,4 @@ logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter
 logger.samlxml_decrypt.level = fatal
 logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter
 logger.saml2_decrypt.level = fatal
+{% endif %}
diff --git a/roles/logstash/handlers/main.yml b/roles/logstash/handlers/main.yml
index 20eb0b78..37b6f6d1 100644
--- a/roles/logstash/handlers/main.yml
+++ b/roles/logstash/handlers/main.yml
@@ -13,3 +13,4 @@
     - not ansible_check_mode
     - not logstash_config_autoreload
     - logstash_enable | bool
+    - not logstash_freshstart.changed | bool
diff --git a/roles/logstash/templates/90-output.conf.j2 b/roles/logstash/templates/90-output.conf.j2
index f13f5bd3..35a64577 100644
--- a/roles/logstash/templates/90-output.conf.j2
+++ b/roles/logstash/templates/90-output.conf.j2
@@ -1,13 +1,3 @@
-{% if logstash_ident | default(true) | bool %}
-filter {
-  mutate {
-    add_field => {
-      "{{ logstash_ident_field_name | default('[logstash][instance]') }}" => "{{ ansible_facts.hostname }}"
-    }
-  }
-}
-
-{% endif %}
 output {
 {% if logstash_output_elasticsearch | default(true) | bool %}
   elasticsearch {
diff --git a/roles/repos/tasks/redhat.yml b/roles/repos/tasks/redhat.yml
index 52b2cf33..f630cc95 100644
--- a/roles/repos/tasks/redhat.yml
+++ b/roles/repos/tasks/redhat.yml
@@ -10,7 +10,7 @@
 
 - name: Workaround for EL > 8
   when:
-    - ansible_facts.distribution_major_version >= "9"
+    - ansible_facts.distribution_major_version | int >= 9
   block:
 
     - name: Show a warning