Audit log study

Hi All,

Elasticsearch 6.2.3 ,
I am doing a study on the audit log (<clustername>_access.log) what details are registered when an action is done.
I don't see any any different in the access or syslog logs when I change the log level of audits to debug (in ES_HOME/config/x-pack/log4j2.properties) from log level info.

May I know the behavior this exhibits

Thanks in Advance..!

Hi,

I'm not sure what the question is. Audit logging is configured via properties in elasticsearch.yml, not log4j2.properties. See our documentation

Hi loannis Kakavas,

Elasticsearch 6.2.3
There are 2 log4j2.properties files. 1 in config folder and another in config/xpack.
The log4j2.properties file in ES_HOME/config/x-pack contains details about the audit logging and access log rolling.

appender.audit_rolling.type = RollingFile
appender.audit_rolling.name = audit_rolling
appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
appender.audit_rolling.layout.type = PatternLayout
appender.audit_rolling.layout.pattern = [%d{ISO8601}] %m%n
appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
appender.audit_rolling.policies.type = Policies
appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.audit_rolling.policies.time.interval = 1
appender.audit_rolling.policies.time.modulate = true

logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info 
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false

and the file contains the above details.
I tried to change
logger.xpack_security_audit_logfile.level = info -> debug to check how the output in access.log varies from info level.
NOW,

  1. May I know the purpose of this file?
  2. Should I do these changes in ES_HOME/config/log4j2.properties ?
  3. Or where to change the audit log setting from level info to debug.

Thanks & Regards,
Elangovan

Hi,

I answered your question above, you can adjust what gets logged in elasticsearch.yml, please read our documentation : https://www.elastic.co/guide/en/x-pack/current/auditing.html#audit-log-settings. All the details are there, you don't need to change logger.xpack_security_audit_logfile.level.

Hi,

Sorry, I think I didn't put it right

I tried to change
`logger.xpack_security_audit_logfile.level = info -> debug`  to check how the output in access.log varies from info level.

When I change the level from info to debug, I dont see any difference in the log metrics in clustername_access.log. why ?

Hi,

This is not the way to control the verbosity of the audit logging as I mentioned above. You don't need to do this.

This is not the way to control the verbosity of the audit logging as I mentioned above. You don't need to do this.

I don't understand, what do you by "You don't need to do this."

If this not the way to control the verbosity, then how can I. Or is there no verbose output in audit log?

I'm really not sure what is unclear from the answers above. I will restate that:

  • the audit logging is not configured in log4j2.properties.
  • the audit logging is configured in elasticsearch.yml.
  • we have detailed documentation on how to control what gets written in the audit log, but you need to read the documentation. I have linked to it.

I have shared the link to our documentation that describes everything and answers your questions 2 times already in the posts above. Once more: Auditing Security Events | X-Pack for the Elastic Stack [6.2] | Elastic

There is no "VERBOSE" or "DEBUG" or "TRACE" level audit logging if that's what you want. This is not how you control the audit logs, please read the docs.

1 Like

Thank you very much!..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.