elastic · pgomulka · Jan 29, 2019 · Jan 28, 2019 · Jan 28, 2019 · Jan 29, 2019
diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc
@@ -14,7 +14,7 @@ file. For more information, see
 
 `xpack.security.audit.enabled`::
 Set to `true` to enable auditing on the node. The default value is `false`.
-This puts the auditing events in a dedicated file named `<clustername>_audit.log`
+This puts the auditing events in a dedicated file named `<clustername>_audit.json`
 on each node. For more information, see <<configuring-logging-levels>>.
 
 [[event-audit-settings]]

diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc
@@ -48,7 +48,7 @@ The following is a list of the events that can be generated:
 In 6.5.0, there is a new <<audit-log-output, `logfile` audit output>> format.
 This format also brings in a few changes for audit event attributes.
 
-The new format is output to the `<clustername>_audit.log` file.
+The new format is output to the `<clustername>_audit.json` file.
 The audit entries are formatted as flat JSON documents (that is to say, no
 nested objects), one per line. Hence, the attribute names are JSON keys and they
 follow a dotted name syntax. Any attributes that lack a value (`null`) are not

diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc
@@ -3,7 +3,7 @@
 === Logfile audit output
 
 The `logfile` audit output is the default output for auditing. It writes data to
-the `<clustername>_audit.log` file in the logs directory. To maintain
+the `<clustername>_audit.json` file in the logs directory. To maintain
 compatibility with releases prior to 6.5.0, a `<clustername>_access.log` file
 is also generated. They differ in the output format but the contents
 are similar. For systems that are not ingesting the audit file for search or
@@ -43,7 +43,7 @@ by default points to the `elasticsearch.log` file.
 [[audit-log-entry-format]]
 === Log entry format
 
-The log entries in the `<clustername>_audit.log` file have the following format:
+The log entries in the `<clustername>_audit.json` file have the following format:
 
 - Each log entry is a one line JSON document and each one is printed on a separate line.
 - The fields of a log entry are ordered. However, if a field does not have a value it
@@ -100,14 +100,14 @@ audited in plain text when including the request body in audit events.
 [[logging-file]]
 You can also configure how the logfile is written in the `log4j2.properties`
 file located in `ES_PATH_CONF`. By default, audit information is appended to the
-`<clustername>_audit.log` file located in the standard Elasticsearch `logs` directory
+`<clustername>_audit.json` file located in the standard Elasticsearch `logs` directory
 (typically located at `$ES_HOME/logs`). The file rolls over on a daily basis.
 The deprecated logfile audit format (`<clustername>_access.log`) can be disabled
 from the same `log4j2.properties` file (hint: look for the comment
 instructing to set the log level to `off`). The deprecated format is a duplication
 of information that is in place to assure backwards compatibility. If you are
 not strict about the audit format it is strongly recommended to only use the
-`<clustername>_audit.log` log appender.
+`<clustername>_audit.json` log appender.
 
 [float]
 [[audit-log-ignore-policy]]

diff --git a/x-pack/docs/en/security/auditing/overview.asciidoc b/x-pack/docs/en/security/auditing/overview.asciidoc
@@ -13,5 +13,5 @@ Audit logs are **disabled** by default. To enable this functionality, you
 must set `xpack.security.audit.enabled` to `true` in `elasticsearch.yml`.
 ============================================================================
 
-The audit log persists events to a dedicated `<clustername>_audit.log` file on
+The audit log persists events to a dedicated `<clustername>_audit.json` file on
 the host's file system (on each node).
diff --git a/x-pack/docs/en/security/configuring-es.asciidoc b/x-pack/docs/en/security/configuring-es.asciidoc
@@ -131,7 +131,7 @@ and <<auditing-settings>>.
 
 .. Restart {es}.
 
-Events are logged to a dedicated `<clustername>_audit.log` file in
+Events are logged to a dedicated `<clustername>_audit.json` file in
 `ES_HOME/logs`, on each cluster node.
 --
 

diff --git a/x-pack/plugin/core/src/main/config/log4j2.properties b/x-pack/plugin/core/src/main/config/log4j2.properties
@@ -1,6 +1,6 @@
 appender.audit_rolling.type = RollingFile
 appender.audit_rolling.name = audit_rolling
-appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.log
+appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.json
 appender.audit_rolling.layout.type = PatternLayout
 appender.audit_rolling.layout.pattern = {\
                 "@timestamp":"%d{ISO8601}"\
@@ -64,7 +64,7 @@ appender.audit_rolling.layout.pattern = {\
 # "rule" name of the applied rulee if the "origin.type" is "ip_filter"
 # "event.category" fixed value "elasticsearch-audit"
 
-appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.log
+appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.json
 appender.audit_rolling.policies.type = Policies
 appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.audit_rolling.policies.time.interval = 1

diff --git a/x-pack/plugin/sql/qa/security/build.gradle b/x-pack/plugin/sql/qa/security/build.gradle
@@ -42,7 +42,7 @@ subprojects {
 
   integTestRunner {
     systemProperty 'tests.audit.logfile',
-        "${ -> integTest.nodes[0].homeDir}/logs/${ -> integTest.nodes[0].clusterName }_audit.log"
+        "${ -> integTest.nodes[0].homeDir}/logs/${ -> integTest.nodes[0].clusterName }_audit.json"
   }
 
   runqa {