Audit log file does not appear in the node

kasscharal · August 27, 2020, 8:29pm

In my Elasticsearch cluster (version 7.6.2 - installed using the elasticsearch.k8s.elastic.co/v1 resource) I have set xpack.security.audit.enabled to true under my nodeSets:

GET /_xpack/usage
...
    "audit" : {
      "outputs" : [
        "logfile"
      ],
      "enabled" : true
    },
...

but no <clustername>_audit.json is created under ES_HOME/logs.

However in my ES_HOME/config/log4j2.properties file I see:

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
appender.audit_rolling.type = Console
appender.audit_rolling.name = audit_rolling

Is the audit_rolling.type correct? Do I need any extra configuration?
Thank you.

warkolm · August 31, 2020, 3:43am

Audit logging is a Gold license and above feature, so make sure you have the correct license level.

system · September 28, 2020, 3:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.