Shield cluster-access.log file

security

#1

Hello,
I was wondering if there was a way to automatically zip up the ${cluster.name}-access.log file that's generated when auditing is enabled for shield? Similar to how you can do so in the logging.yml file for the ${cluster.name}.log file. I tried using the logging.yml file and configuring a section for the -access.log file, but that just disabled logging entirely.


(Mark Walkom) #2

You should be able to do that with the following, just change the names accordingly.

Locate the following section in the logging.yml file and uncomment it (remove the # from the lines):

  #file:
    #type: extrasRollingFile
    #file: ${path.logs}/elasticsearch.log.gz
    #rollingPolicy: timeBased
    #rollingPolicy.FileNamePattern: ${path.logs}/${cluster.name}%d{yyyy-MM-dd}.log.gz
    #layout:
      #type: pattern
      #conversionPattern: "%d{ISO8601}"

Then locate the section in the logging.yml that is right above it (see below) and comment it out (add # in front of each line):

  file:
    type: dailyRollingFile
    file: ${path.logs}/${cluster.name}.log
    datePattern: "'.'yyyy-MM-dd"
    layout:
      type: pattern
      conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n"

Restart the node. Then as it rolls a new daily log file, it will compress/gz the older log file.


#3

ah thanks, I found the file but I wasn't sure if I was supposed to comment out the dailyRollingFile or not. Thanks!


(system) #4