Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not able to redirect audit logs to different file #353

Open
The-Yoda opened this issue May 6, 2018 · 4 comments

Comments

@The-Yoda
Copy link
Contributor

commented May 6, 2018

I tried to add configuration mentioned here. The logs are still getting printed in the actual log instead of new file.

Here is the configuration I have:

#Plugin readonly rest separate access logging file definition
appender.access_log_rolling.type = RollingFile
appender.access_log_rolling.name = access_log_rolling
appender.access_log_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
appender.access_log_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
appender.access_log_rolling.layout.type = PatternLayout
appender.access_log_rolling.filePattern = ${sys:es.logs}_access-%d{yyyy-MM-dd}.log
appender.access_log_rolling.policies.type = Policies
appender.access_log_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.access_log_rolling.policies.time.interval = 1
appender.access_log_rolling.policies.time.modulate = true

logger.access_log_rolling.name = org.elasticsearch.plugin.readonlyrest.acl
logger.access_log_rolling.level = info
logger.access_log_rolling.appenderRef.access_log_rolling.ref = access_log_rolling
logger.access_log_rolling.additivity = false

Even I tried with logger.access_log_rolling.name = tech.beshu.ror.acl.ACL. No luck.

Elasticsearch version: 6.2.3

Similar issue is reported here as well

Anything I'm missing here?

@bradvido

This comment has been minimized.

Copy link

commented May 24, 2018

same issue here with the same config on 6.2.4

@ghost

This comment has been minimized.

Copy link

commented Jun 7, 2018

hi @The-Yoda , @bradvido
i test configuration on elasticsearch 6.2.4, appended lines to log4j2.properties file in {ES_HOME}/config:

#Plugin readonly rest separate access logging file definition
appender.access_log_rolling.type = RollingFile
appender.access_log_rolling.name = access_log_rolling
appender.access_log_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
appender.access_log_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
appender.access_log_rolling.layout.type = PatternLayout
appender.access_log_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
appender.access_log_rolling.policies.type = Policies
appender.access_log_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.access_log_rolling.policies.time.interval = 1
appender.access_log_rolling.policies.time.modulate = true

logger.access_log_rolling.name = **tech.beshu.ror.acl**
logger.access_log_rolling.level = **debug**
logger.access_log_rolling.appenderRef.access_log_rolling.ref = access_log_rolling
logger.access_log_rolling.additivity = false

# exclude kibana, beat and logstash users as they generate too much noise
logger.access_log_rolling.filter.regex.type = RegexFilter
logger.access_log_rolling.filter.regex.regex = .*USR:(kibana|beat|logstash),.*
logger.access_log_rolling.filter.regex.onMatch = DENY
logger.access_log_rolling.filter.regex.onMisMatch = ACCEPT

and it work success, *acces.log created:

nugusbayevkk@computer:~/Documents/DEV/demo/eventlogger/elasticsearch-6.2.4-1$ ls -l ../logs/elasticsearch/node1/
total 684
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk 281757 Мау  1 00:00 dev-eventlogger-2018-05-31-1.log.gz
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk 308244 Мау  3 23:04 dev-eventlogger-2018-06-01-1.log.gz
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk   2224 Мау  4 10:10 dev-eventlogger-2018-06-03-1.log.gz
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk  11434 Мау  5 11:57 dev-eventlogger-2018-06-04-1.log.gz
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk    433 Мау  7 10:57 dev-eventlogger-2018-06-05-1.log.gz
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk    135 Мау  7 18:15 dev-eventlogger_access.log
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk   2618 Мау  4 14:08 dev-eventlogger_deprecation.log
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk      0 Мам 31 10:33 dev-eventlogger_index_indexing_slowlog.log
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk      0 Мам 31 10:33 dev-eventlogger_index_search_slowlog.log
-rw-rw-r-- 1 nugusbayevkk nugusbayevkk  73149 Мау  7 18:15 dev-eventlogger.log
nugusbayevkk@computer:~/Documents/DEV/demo/eventlogger/elasticsearch-6.2.4-1$ tail -f ../logs/elasticsearch/node1/dev-eventlogger_access.log 
[2018-06-07T18:15:21,879][INFO ][tech.beshu.ror.acl.ACL   ] ADDING BLOCK:	{ name: 'Accept all requests from localhost', policy: ALLOW}

@bradvido

This comment has been minimized.

Copy link

commented Jun 8, 2018

That config creates an empty *_access.log file for me. Nothing ends up in it and it's all in the main ES log file.

@ghost

This comment has been minimized.

Copy link

commented Jun 8, 2018

hi @bradvido ,
can you share your log4j.properties & ror conf & elasticsearch conf files to resource like dropmefiles.com?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.