From 3b859f56a9589de0aa1f32f35364906847804b0a Mon Sep 17 00:00:00 2001
From: Przemyslaw Gomulka <przemyslaw.gomulka@elastic.co>
Date: Wed, 2 Dec 2020 17:36:31 +0100
Subject: [PATCH] Compress audit logs (#64472)

audit logs should be compressed when rolling over due to size based
triggering policy breaching 1GB.
Files are not being deleted.

closes #63843
---
 .../migration/migrate_8_0/security.asciidoc   | 20 ++++++++++++++++++-
 .../migration/migrate_8_0/transport.asciidoc  |  4 ++--
 .../core/src/main/config/log4j2.properties    |  6 +++++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/docs/reference/migration/migrate_8_0/security.asciidoc b/docs/reference/migration/migrate_8_0/security.asciidoc
index e81f0dab5ded5..0870788308d96 100644
--- a/docs/reference/migration/migrate_8_0/security.asciidoc
+++ b/docs/reference/migration/migrate_8_0/security.asciidoc
@@ -33,6 +33,24 @@ xpack.security.authc.realms.kerberos.kerb1:
   remove_realm_name: false
 --------------------------------------------------
 ====
+
+[[audit-logs-are-rolled-over-and-archived-by-size]]
+.Audit logs are rolled-over and archived by size.
+[%collapsible]
+====
+*Details* +
+In addition to the existing daily rollover, the security audit logs are
+now rolled-over by disk size limit as well. Moreover, the rolled-over logs
+are also gzip compressed.
+
+*Impact* +
+The names of rolled over audit logfiles (but not the name of the current log)
+have changed.
+If you've setup automated tools to consume these files, you must configure them
+to use the new names and to possibly account for gzip archives instead of plaintext.
+The Docker build of Elasticsearch is not affected since it logs on stdout where
+rollover is not performed.
+====
 // end::notable-breaking-changes[]
 
 [[accept-default-password-removed]]
@@ -181,7 +199,7 @@ xpack.security.http.ssl.certificate_authorities: [ "corporate-ca.crt" ]
 <1> or `false`.
 ====
 
-.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface. 
+.A `xpack.security.transport.ssl` certificate and key are now required to enable SSL for the transport interface.
 [%collapsible]
 ====
 *Details* +
diff --git a/docs/reference/migration/migrate_8_0/transport.asciidoc b/docs/reference/migration/migrate_8_0/transport.asciidoc
index 2ef1c3527977c..39875059fb9c9 100644
--- a/docs/reference/migration/migrate_8_0/transport.asciidoc
+++ b/docs/reference/migration/migrate_8_0/transport.asciidoc
@@ -3,7 +3,7 @@
 === Transport changes
 
 //tag::notable-breaking-changes[]
-.Several `tranport` settings have been replaced.
+.Several `transport` settings have been replaced.
 [%collapsible]
 ====
 *Details* +
@@ -26,4 +26,4 @@ Specifying the removed settings in `elasticsearch.yml` will result in an error
 on startup.
 ====
 
-// end::notable-breaking-changes[]
\ No newline at end of file
+// end::notable-breaking-changes[]
diff --git a/x-pack/plugin/core/src/main/config/log4j2.properties b/x-pack/plugin/core/src/main/config/log4j2.properties
index e44a08ae6f475..1ffd8709585c4 100644
--- a/x-pack/plugin/core/src/main/config/log4j2.properties
+++ b/x-pack/plugin/core/src/main/config/log4j2.properties
@@ -71,11 +71,15 @@ appender.audit_rolling.layout.pattern = {\
 # "rule" name of the applied rule if the "origin.type" is "ip_filter"
 # "event.category" fixed value "elasticsearch-audit"
 
-appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.json
+appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}-%i.json.gz
 appender.audit_rolling.policies.type = Policies
 appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.audit_rolling.policies.time.interval = 1
 appender.audit_rolling.policies.time.modulate = true
+appender.audit_rolling.policies.size.type = SizeBasedTriggeringPolicy
+appender.audit_rolling.policies.size.size = 1GB
+appender.audit_rolling.strategy.type = DefaultRolloverStrategy
+appender.audit_rolling.strategy.fileIndex = nomax
 
 logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
 logger.xpack_security_audit_logfile.level = info