Audit log file does not appear in the node

kasscharal · August 27, 2020, 8:29pm

In my Elasticsearch cluster (version 7.6.2 - installed using the elasticsearch.k8s.elastic.co/v1 resource) I have set xpack.security.audit.enabled to true under my nodeSets:

GET /_xpack/usage
...
    "audit" : {
      "outputs" : [
        "logfile"
      ],
      "enabled" : true
    },
...

but no <clustername>_audit.json is created under ES_HOME/logs.

However in my ES_HOME/config/log4j2.properties file I see:

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
appender.audit_rolling.type = Console
appender.audit_rolling.name = audit_rolling

Is the audit_rolling.type correct? Do I need any extra configuration?
Thank you.

warkolm · August 31, 2020, 3:43am

Audit logging is a Gold license and above feature, so make sure you have the correct license level.

system · September 28, 2020, 3:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audit logs on ES 7.16.3 Elasticsearch elastic-stack-security	3	422	March 14, 2022
Enabling audit in 6.3.0 writes to <cluster>.log not to <cluster>_access.log Elasticsearch	3	584	September 11, 2018
How to confirm audit logging is enabled Elasticsearch	4	372	June 16, 2021
Elasticsearch Auditing Files in docker container can not be found Elasticsearch docker	3	588	November 11, 2019
No audit log file in /usr/share/elasticsearch/logs directory when I opend the audit log configuration Elasticsearch	1	322	January 7, 2022

Audit log file does not appear in the node

Related Topics