diff --git a/x-pack/test/security_api_integration/tests/anonymous/login.ts b/x-pack/test/security_api_integration/tests/anonymous/login.ts
index 97a48b278cff2..b97067ba04e7d 100644
--- a/x-pack/test/security_api_integration/tests/anonymous/login.ts
+++ b/x-pack/test/security_api_integration/tests/anonymous/login.ts
@@ -245,7 +245,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(2);
diff --git a/x-pack/test/security_api_integration/tests/audit/audit_log.ts b/x-pack/test/security_api_integration/tests/audit/audit_log.ts
index 2173b9d8e2123..8e0fcb7615c7a 100644
--- a/x-pack/test/security_api_integration/tests/audit/audit_log.ts
+++ b/x-pack/test/security_api_integration/tests/audit/audit_log.ts
@@ -25,7 +25,7 @@ export default function ({ getService }: FtrProviderContext) {
 
     it('logs audit events when reading and writing saved objects', async () => {
       await supertest.get('/audit_log?query=param').set('kbn-xsrf', 'foo').expect(204);
-      await retry.waitFor('logs event in the dest file', async () => await logFile.isNotEmpty());
+      await logFile.isWritten();
       const content = await logFile.readJSON();
 
       const httpEvent = content.find((c) => c.event.action === 'http_request');
@@ -68,7 +68,7 @@ export default function ({ getService }: FtrProviderContext) {
           params: { username, password },
         })
         .expect(200);
-      await retry.waitFor('logs event in the dest file', async () => await logFile.isNotEmpty());
+      await logFile.isWritten();
       const content = await logFile.readJSON();
 
       const loginEvent = content.find((c) => c.event.action === 'user_login');
@@ -92,7 +92,7 @@ export default function ({ getService }: FtrProviderContext) {
           params: { username, password: 'invalid_password' },
         })
         .expect(401);
-      await retry.waitFor('logs event in the dest file', async () => await logFile.isNotEmpty());
+      await logFile.isWritten();
       const content = await logFile.readJSON();
 
       const loginEvent = content.find((c) => c.event.action === 'user_login');
diff --git a/x-pack/test/security_api_integration/tests/audit/file_wrapper.ts b/x-pack/test/security_api_integration/tests/audit/file_wrapper.ts
index 6f6aef69ed406..b542ef0f8e354 100644
--- a/x-pack/test/security_api_integration/tests/audit/file_wrapper.ts
+++ b/x-pack/test/security_api_integration/tests/audit/file_wrapper.ts
@@ -9,6 +9,8 @@ import Fs from 'fs';
 import type { RetryService } from '@kbn/ftr-common-functional-services';
 
 export class FileWrapper {
+  delay = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+
   constructor(private readonly path: string, private readonly retry: RetryService) {}
   async reset() {
     // "touch" each file to ensure it exists and is empty before each test
@@ -32,9 +34,15 @@ export class FileWrapper {
     });
   }
   // writing in a file is an async operation. we use this method to make sure logs have been written.
-  async isNotEmpty() {
-    const content = await this.read();
-    const line = content[0];
-    return line.length > 0;
+  async isWritten() {
+    // attempt at determinism - wait for the size of the file to stop changing.
+    await this.retry.waitForWithTimeout(`file '${this.path}' to be written`, 5000, async () => {
+      const sizeBefore = Fs.statSync(this.path).size;
+      await this.delay(500);
+      const sizeAfter = Fs.statSync(this.path).size;
+      return sizeAfter === sizeBefore;
+    });
+
+    return Fs.statSync(this.path).size > 0;
   }
 }
diff --git a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
index e73bb06f0203a..82ec3b062405c 100644
--- a/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
+++ b/x-pack/test/security_api_integration/tests/kerberos/kerberos_login.ts
@@ -519,7 +519,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(2);
@@ -545,7 +545,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Authorization', `Negotiate ${Buffer.from('Hello').toString('base64')}`)
           .expect(401);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(1);
diff --git a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
index 9ecdbd311a109..4c20b091f6e11 100644
--- a/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
+++ b/x-pack/test/security_api_integration/tests/oidc/authorization_code_flow/oidc_auth.ts
@@ -714,7 +714,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(2);
@@ -739,7 +739,7 @@ export default function ({ getService }: FtrProviderContext) {
           .get(`/api/security/oidc/callback?code=thisisthecode&state=someothervalue`)
           .expect(401);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(1);
diff --git a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
index 4303ebdf59e48..37fae88942f34 100644
--- a/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
+++ b/x-pack/test/security_api_integration/tests/pki/pki_auth.ts
@@ -505,7 +505,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(2);
@@ -528,7 +528,7 @@ export default function ({ getService }: FtrProviderContext) {
       it('should log authentication failure correctly', async () => {
         await supertest.get('/security/account').ca(CA_CERT).pfx(UNTRUSTED_CLIENT_CERT).expect(401);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(1);
diff --git a/x-pack/test/security_api_integration/tests/saml/saml_login.ts b/x-pack/test/security_api_integration/tests/saml/saml_login.ts
index 8358f24c5d028..66cc721512c3e 100644
--- a/x-pack/test/security_api_integration/tests/saml/saml_login.ts
+++ b/x-pack/test/security_api_integration/tests/saml/saml_login.ts
@@ -843,7 +843,7 @@ export default function ({ getService }: FtrProviderContext) {
           .set('Cookie', sessionCookie.cookieString())
           .expect(302);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(2);
@@ -881,7 +881,7 @@ export default function ({ getService }: FtrProviderContext) {
           })
           .expect(401);
 
-        await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+        await logFile.isWritten();
         const auditEvents = await logFile.readJSON();
 
         expect(auditEvents).to.have.length(1);
diff --git a/x-pack/test/security_api_integration/tests/token/audit.ts b/x-pack/test/security_api_integration/tests/token/audit.ts
index 20e539782a978..0c97fb9c3cdc4 100644
--- a/x-pack/test/security_api_integration/tests/token/audit.ts
+++ b/x-pack/test/security_api_integration/tests/token/audit.ts
@@ -53,7 +53,7 @@ export default function ({ getService }: FtrProviderContext) {
         .set('Cookie', sessionCookie.cookieString())
         .expect(302);
 
-      await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+      await logFile.isWritten();
       const auditEvents = await logFile.readJSON();
 
       expect(auditEvents).to.have.length(2);
@@ -85,7 +85,7 @@ export default function ({ getService }: FtrProviderContext) {
         })
         .expect(401);
 
-      await retry.waitFor('audit events in dest file', () => logFile.isNotEmpty());
+      await logFile.isWritten();
       const auditEvents = await logFile.readJSON();
 
       expect(auditEvents).to.have.length(1);