Audit log time based deletion policy not working

Elastic Stack Elasticsearch
1

Hi,

I have the following policy for deleting audit logs older than 7 days in my log4j2.properties config file:

appender.audit_rolling.type = RollingFile
appender.audit_rolling.name = audit_rolling
appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.json
appender.audit_rolling.layout.type = PatternLayout
appender.audit_rolling.layout.pattern = {\
               ...
                }%n

appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}-%i.json.gz
appender.audit_rolling.policies.type = Policies
appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.audit_rolling.policies.time.interval = 1
appender.audit_rolling.policies.time.modulate = true
appender.audit_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.audit_rolling.policies.size.size = 700MB
appender.audit_rolling.strategy.type = DefaultRolloverStrategy
appender.audit_rolling.strategy.fileIndex = nomax
appender.audit_rolling.strategy.action.type = Delete
appender.audit_rolling.strategy.action.basepath = ${sys:es.logs.base_path}
appender.audit_rolling.strategy.action.condition.type = IfFileName
appender.audit_rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
appender.audit_rolling.strategy.action.condition.nested_condition.type = IfLastModified
appender.audit_rolling.strategy.action.condition.nested_condition.age = 7D

it seems that the rotated does it correctly but it does not delete the files every 7 days, could someone help me with this problem?

thanks and best regards

2

Hi,

You can use ILM policy to achieve the same.

3

hi, thanks for your answer.
I am referring to logs generated by elasticsearch itself that are located in /var/log/elasticsearch, not those logs that I am ingesting.

4

Can you check if your files are matching the glob condition you've given?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.