Elasticsearch Auditing Files in docker container can not be found

apt-get_install_skil · September 23, 2019, 4:22pm

Hey there,

I run an Elasticsearch 7.3.0 6-node cluster on three machines (one coordinating-only and one mdi-node each) via docker-compose.
I've set up security via certificates/pki.

Now I want to enable the auditing feature as described in this guide.

Therefore I set these settings in each elasticsearch service:

xpack.security.audit.enabled: "true"
xpack.security.audit.logfile.events.emit_request_body: "true"

As stated in the guide, a file with the pattern '<clustername>_audit.json' should be generated in the logs directory.

However, there is no such file on any node when I jump into my containers via docker exec (only gc files).
What do I miss here? Do I have to explicitely configure a logger for this?

apt-get_install_skil · October 9, 2019, 10:09am

Hey there,

I've talked about this issue with an experienced colleague. He told me that by default all elasticsearch events/messages, including the audit events, will be logged to the console/stdout of the container.

Can anyone confirm this information? Thanks!

MiTschMR · October 14, 2019, 6:17am

Hi @apt-get_install_skil

I can confirm that Elasticsearch events and messages are logged to the console of the container. If you want to change this behaviour you have to edit the log4j2.properties file (well, I had to do this).

Hope this helps.

system · November 11, 2019, 6:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.