Audit log file does not appear in the node

In my Elasticsearch cluster (version 7.6.2 - installed using the elasticsearch.k8s.elastic.co/v1 resource) I have set xpack.security.audit.enabled to true under my nodeSets:

GET /_xpack/usage
...
    "audit" : {
      "outputs" : [
        "logfile"
      ],
      "enabled" : true
    },
...

but no <clustername>_audit.json is created under ES_HOME/logs.

However in my ES_HOME/config/log4j2.properties file I see:

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
appender.audit_rolling.type = Console
appender.audit_rolling.name = audit_rolling

Is the audit_rolling.type correct? Do I need any extra configuration?
Thank you.

Audit logging is a Gold license and above feature, so make sure you have the correct license level.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.