Hi All,
Elasticsearch 6.2.3 ,
I am doing a study on the audit log (<clustername>_access.log) what details are registered when an action is done.
I don't see any any different in the access or syslog logs when I change the log level of audits to debug (in ES_HOME/config/x-pack/log4j2.properties) from log level info.
May I know the behavior this exhibits
Thanks in Advance..!
Hi,
I'm not sure what the question is. Audit logging is configured via properties in elasticsearch.yml, not log4j2.properties. See our documentation
Hi loannis Kakavas,
Elasticsearch 6.2.3
There are 2 log4j2.properties files. 1 in config folder and another in config/xpack.
The log4j2.properties file in ES_HOME/config/x-pack contains details about the audit logging and access log rolling.
appender.audit_rolling.type = RollingFile
appender.audit_rolling.name = audit_rolling
appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
appender.audit_rolling.layout.type = PatternLayout
appender.audit_rolling.layout.pattern = [%d{ISO8601}] %m%n
appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
appender.audit_rolling.policies.type = Policies
appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.audit_rolling.policies.time.interval = 1
appender.audit_rolling.policies.time.modulate = true
logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
logger.xpack_security_audit_logfile.level = info
logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
logger.xpack_security_audit_logfile.additivity = false
and the file contains the above details.
I tried to change
logger.xpack_security_audit_logfile.level = info -> debug to check how the output in access.log varies from info level.
NOW,
Thanks & Regards,
Elangovan
Hi,
I answered your question above, you can adjust what gets logged in elasticsearch.yml, please read our documentation : https://www.elastic.co/guide/en/x-pack/current/auditing.html#audit-log-settings. All the details are there, you don't need to change logger.xpack_security_audit_logfile.level.
Hi,
Sorry, I think I didn't put it right
I tried to change
`logger.xpack_security_audit_logfile.level = info -> debug` to check how the output in access.log varies from info level.
When I change the level from info to debug, I dont see any difference in the log metrics in clustername_access.log. why ?
Hi,
This is not the way to control the verbosity of the audit logging as I mentioned above. You don't need to do this.
This is not the way to control the verbosity of the audit logging as I mentioned above. You don't need to do this.
I don't understand, what do you by "You don't need to do this."
If this not the way to control the verbosity, then how can I. Or is there no verbose output in audit log?
I'm really not sure what is unclear from the answers above. I will restate that:
log4j2.properties.elasticsearch.yml.I have shared the link to our documentation that describes everything and answers your questions 2 times already in the posts above. Once more: Auditing Security Events | X-Pack for the Elastic Stack [6.2] | Elastic
There is no "VERBOSE" or "DEBUG" or "TRACE" level audit logging if that's what you want. This is not how you control the audit logs, please read the docs.
Thank you very much!..
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.