-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs for the audit logfile structured format #34584
Docs for the audit logfile structured format #34584
Conversation
Pinging @elastic/es-security |
the `<clustername>_audit.log` file in the logs directory. To maintain | ||
compatibility with releases prior to 6.5.0, another file `<clustername>_access.log` | ||
is also generated next to it. They differ in the output format but the contents | ||
are similar. For systems that had not automatically ingesting the audit file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/systems that had not automatically ingesting/systems that are not ingesting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
the `<clustername>_access.log` file with the format for versions prior to 6.5.0. | ||
If the backwards compatible format is not required, it should be disabled. | ||
To do that, change its logger level to `off` in the `log4j2.properties` file | ||
from `ES_PATH_CONF`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest changing this to something like this:
"... in the log4j2.properties
file. For more information, see <<configuring-logging-levels>>
. "
|
||
`xpack.security.audit.logfile.emit_node_id`:: | ||
Specifies whether to include the node id as a field in each audit event. | ||
This is available for the new format only. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it worth adding "that is to say, this information does not exist in the <clustername>_access.log
file"?
This is available for the new format only. | ||
Unlike <<node-name, node name>>, whose value might change if the administrator | ||
changes the setting in the config file, the node id will persist across cluster | ||
restarts and the administrator has no handle to change it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "has no handle to change it" is a bit unclear to me. Can we just say, "cannot change it"?
to 6.5.0. Between the two, the contents are identical, therefore it is recommended | ||
to disable the `<clustername>_access.log` output. For this, turn off the | ||
logger in the `log4j2.properties` config file from `ES_PATH_CONF`. (hint: look | ||
out for a comment in the config file). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might be too much information for such a high-level introductory page. i.e. since it's covered in the linked logfile page, I think you could just cut off after the "...is also generated" sentence.
Specifies whether to include the node's host name in the local node info. The | ||
default value is `false`. | ||
`xpack.security.audit.logfile.emit_node_name`:: | ||
Specifies whether to include the <<node-name, node name>> as a field in each |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This link fails when I build the documentation. Are you trying to link to https://www.elastic.co/guide/en/elasticsearch/reference/master/node.name.html ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replaced with {ref}/node.name.html[node name]
`xpack.security.audit.logfile.emit_node_id`:: | ||
Specifies whether to include the node id as a field in each audit event. | ||
This is available for the new format only. | ||
Unlike <<node-name, node name>>, whose value might change if the administrator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "node-name" link also fails. If you let me know what you're trying to link to, I can help fix it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replaced with {ref}/node.name.html[node name]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've submitted some suggestions, but once those are applied or discarded (per https://help.github.com/articles/incorporating-feedback-in-your-pull-request/#applying-a-suggested-change), it LGTM
Co-Authored-By: albertzaharovits <[email protected]>
Co-Authored-By: albertzaharovits <[email protected]>
Co-Authored-By: albertzaharovits <[email protected]>
Co-Authored-By: albertzaharovits <[email protected]>
Co-Authored-By: albertzaharovits <[email protected]>
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
* 'master' of github.com:elastic/elasticsearch: Fix line length for org.elasticsearch.common.* files (elastic#34888) [ML] Extract common native process base class (elastic#34856) Refactor children aggregator into a generic ParentJoinAggregator (elastic#34845) [Style] Fix line lengths in action.admin.indices (elastic#34890) HLRC - add support for source exists API (elastic#34519) [CCR] Retry when no index shard stats can be found (elastic#34852) [Docs] audit logfile structured format (elastic#34584) [Test] Fix FullClusterRestartIT.testShrink() with copy_settings param (elastic#34853) Fix LineLength Check Suppressions: index.fielddata (elastic#34891) TEST: Stablize Minio Free Port Search (elastic#34894) Delete flaky SettingsBasedHostProviderIT test (elastic#34813) [ML] Include message in field_stats for text log files (elastic#34861) [TEST] HLRC: Expand failure messages in API checks (elastic#34838) Lowercase static final DeprecationLogger instance names (elastic#34887)
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
This is the docs part of the following work on structured logfile auditing:
#31931
#34475
It documents the format and file name changes.
This PR is geared towards the 6.x branch.
It will be followed by another one PR that will completely forget
the deprecated format (and will describe this as a breaking change,
as has been suggested here #34475 (review))