Audit log file does not appear in the node

kasscharal · August 27, 2020, 8:29pm

In my Elasticsearch cluster (version 7.6.2 - installed using the elasticsearch.k8s.elastic.co/v1 resource) I have set xpack.security.audit.enabled to true under my nodeSets:

GET /_xpack/usage
...
    "audit" : {
      "outputs" : [
        "logfile"
      ],
      "enabled" : true
    },
...

but no <clustername>_audit.json is created under ES_HOME/logs.

However in my ES_HOME/config/log4j2.properties file I see:

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
appender.audit_rolling.type = Console
appender.audit_rolling.name = audit_rolling

Is the audit_rolling.type correct? Do I need any extra configuration?
Thank you.

warkolm · August 31, 2020, 3:43am

Audit logging is a Gold license and above feature, so make sure you have the correct license level.

system · September 28, 2020, 3:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audit log study Elasticsearch elastic-stack-security	9	2699	March 11, 2019
Audit logs on ES 7.16.3 Elasticsearch elastic-stack-security	3	461	March 14, 2022
Audit logging in elasticsearch Elasticsearch	7	467	July 23, 2020
Audit logging configuration via elasticsearch.yml Elasticsearch	2	670	October 16, 2020
Audit Logging Issue Elasticsearch	5	1673	August 15, 2017

Audit log file does not appear in the node

Related topics