You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The index based audit trail loses data on a rolling upgrade because the component doesn't start until the template for the audit trail is upgraded to the newest version and that doesn't happen until the a node with the new code is elected the master. I feel like we should document this somewhere or fix it.
The text was updated successfully, but these errors were encountered:
I feel like we should document this somewhere or fix it.
I agree that this is not ideal, but this has been the behavior for a long time and is also part of why we plan to remove this feature and recommend filebeat (#29881).
The index output type should be used in conjunction with the logfile output type Because it is possible for the index output type to lose messages if the target index is unavailable, the access.log should be used as the official record of events.
We could make that statement a bit more generic as there are other cases where audit events can be lost.
The index based audit trail loses data on a rolling upgrade because the component doesn't start until the template for the audit trail is upgraded to the newest version and that doesn't happen until the a node with the new code is elected the master. I feel like we should document this somewhere or fix it.
The text was updated successfully, but these errors were encountered: