Our ES docker container ran out of disk because of the security audit logs being written to file. I found this issue on github (https://github.com/elastic/elasticsearch-docker/issues/78) and went to verify that our docker images x-pack log4j2.properties were configured to output logs to the console and found that ours were not. I was confused by this because the github repo, at multiple versions in 5.x and 6.x show that the log4j2.properties was configured for console output. However, the docker image we were using (docker.elastic.co/elasticsearch/elasticsearch:6.0.0) was not configured to output security audit logs to the console but rather still a file. We deployed docker version of elasticsearch 6.0.0, 6.1.3, and 6.2.1 and all were configured to log security audit logs to file and not console. The only exception was the platinum edition which was configured to send audit log output to console.
the question is why does the platinum version of the docker image has the console output but the default version does not. we had to disable the logging for the time being and are hoping that the indexing doesn't loose any data.
Thank you for getting back to me. The original question was "why there is a difference between the images?", mostly so i can determine if we're using the wrong image or not based on if the difference was intentional or not. Is there a work item i can follow that will inform me when the configuration change gets moved into the other the other released containers?
The "elasticsearch" container is an alias for the "elasticsearch-basic" container which is intended for use with a basic license of X-Pack, which does not include any Security features
The "elasticsearch-platinum" container is intended to be used with a Gold or Platinum license of X-Pack which do include Security (with optional auditing)
We're in ongoing discussions about whether or not it is helpful to have that level of difference between the containers, but the reason for the difference is that they assume you will have different X-Pack features enabled.
With the exception of where audit logging information is output (file or console), aren't the images effectively the same once we install our own license? if so, then simply switching to the platinum edition will resolve the issue with where audit logs are output correct? in the platinum edition, do i still need to configure the auditing system to output to "file" to get audit logs output to console or will it still output to console regardless (a.k.a. how would i prevent it from logging to console)?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.