Audit Logging Issue

Elastic Stack Elasticsearch
1

Hi,

I made an entry in the elasticsearch.yml file :
xpack.security.audit.enabled: true

After this i am able to see the logs in the elasticsearch_access.log

Again i edited the elasticsearch.yml file and made the following entry to log the index to a particular log file:
xpack.security.audit.enabled: true
xpack.security.audit.outputs: [ aircel-db, airceldblogger_access.log ]

Now the Elasticsearch itself is not starting, it is crashing with the following error:

2017-07-05T15:38:37,233][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [] fatal error in thread [main], exiting
java.lang.Error: security initialization failed
        at org.elasticsearch.xpack.XPackPlugin.createComponents(XPackPlugin.java:266) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$7(Node.java:410) ~[elasticsearch-5.4.0.jar:5.4.0]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_121]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) ~[?:1.8.0_121]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_121]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_121]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_121]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_121]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_121]
        at org.elasticsearch.node.Node.<init>(Node.java:412) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.node.Node.<init>(Node.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap$6.<init>(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) ~[elasticsearch-5.4.0.jar:5.4.0]

Please help me in resolving this issue..... Thanks in advance..

2

Those are not valid options for the audit outputs setting.

From the documentation

xpack.security.audit.outputs: [ index, logfile ]

The allowable values are literally index and logfile.
You cannot specify an index name or file name in that setting, you just specify whether you want to output your audit records to an index, a logfile, or both.

3

Thanks Tim.... for confirming.
But how should i log for a particular index in a particular log file?

Eg:

xpack.security.audit.outputs: [ aircel-db, airceldblogger_access.log ]

I want to log "aricel-db" index to a "airceldblogger_access.log" log file.

Could you please suggest me on this.

4

It is not possible to explicitly configure X-Pack to audit to different locations based on the index - many of the audit records are not index specific.

If you want to write all audit records to a specific file then from the documentation:

5

Thanks Tim for reply and suggestion.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.