Compress audit logs (#64472)

audit logs should be compressed when rolling over due to size based triggering policy breaching 1GB. Files are not being deleted. closes #63843
elastic · Dec 2, 2020 · 3b859f5 · 3b859f5
1 parent 894dbc7
commit 3b859f5
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 4 deletions.
diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc
@@ -33,6 +33,24 @@ xpack.security.authc.realms.kerberos.kerb1:
   remove_realm_name: false
 --------------------------------------------------
 ====
+
+[[audit-logs-are-rolled-over-and-archived-by-size]]
+.Audit logs are rolled-over and archived by size.
+[%collapsible]
+====
+*Details* +
+In addition to the existing daily rollover, the security audit logs are
+now rolled-over by disk size limit as well. Moreover, the rolled-over logs
+are also gzip compressed.
+
+*Impact* +
+The names of rolled over audit logfiles (but not the name of the current log)
+have changed.
+If you've setup automated tools to consume these files, you must configure them
+to use the new names and to possibly account for gzip archives instead of plaintext.
+The Docker build of Elasticsearch is not affected since it logs on stdout where
+rollover is not performed.
+====
 // end::notable-breaking-changes[]
 
 [[accept-default-password-removed]]
@@ -181,7 +199,7 @@ xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
 <1> or `false`.
 ====
 
-.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface. 
+.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface.
 [%collapsible]
 ====
 *Details* +

diff --git a/docs/reference/migration/migrate_8_0/transport.asciidoc b/docs/reference/migration/migrate_8_0/transport.asciidoc
@@ -3,7 +3,7 @@
 === Transport changes
 
 //tag::notable-breaking-changes[]
-.Several `tranport` settings have been replaced.
+.Several `transport` settings have been replaced.
 [%collapsible]
 ====
 *Details* +
@@ -26,4 +26,4 @@ Specifying the removed settings in `elasticsearch.yml` will result in an error
 on startup.
 ====
 
-// end::notable-breaking-changes[]
+// end::notable-breaking-changes[]
diff --git a/x-pack/plugin/core/src/main/config/log4j2.properties b/x-pack/plugin/core/src/main/config/log4j2.properties
@@ -71,11 +71,15 @@ appender.audit_rolling.layout.pattern = {\
 # "rule" name of the applied rule if the "origin.type" is "ip_filter"
 # "event.category" fixed value "elasticsearch-audit"
 
-appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.json
+appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}-%i.json.gz
 appender.audit_rolling.policies.type = Policies
 appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.audit_rolling.policies.time.interval = 1
 appender.audit_rolling.policies.time.modulate = true
+appender.audit_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.audit_rolling.policies.size.size = 1GB
+appender.audit_rolling.strategy.type = DefaultRolloverStrategy
+appender.audit_rolling.strategy.fileIndex = nomax
 
 logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
 logger.xpack_security_audit_logfile.level = info