Docs for the audit logfile structured format #34584
Conversation
albertzaharovits
added
>docs
|
Pinging @elastic/es-security |
| the `<clustername>_audit.log` file in the logs directory. To maintain | ||
| compatibility with releases prior to 6.5.0, another file `<clustername>_access.log` | ||
| is also generated next to it. They differ in the output format but the contents | ||
| are similar. For systems that had not automatically ingesting the audit file |
There was a problem hiding this comment.
s/systems that had not automatically ingesting/systems that are not ingesting
| the `<clustername>_access.log` file with the format for versions prior to 6.5.0. | ||
| If the backwards compatible format is not required, it should be disabled. | ||
| To do that, change its logger level to `off` in the `log4j2.properties` file | ||
| from `ES_PATH_CONF`. |
There was a problem hiding this comment.
I suggest changing this to something like this:
"... in the log4j2.properties file. For more information, see <<configuring-logging-levels>>. "
|
|
||
| `xpack.security.audit.logfile.emit_node_id`:: | ||
| Specifies whether to include the node id as a field in each audit event. | ||
| This is available for the new format only. |
There was a problem hiding this comment.
Is it worth adding "that is to say, this information does not exist in the <clustername>_access.log file"?
| This is available for the new format only. | ||
| Unlike <<node-name, node name>>, whose value might change if the administrator | ||
| changes the setting in the config file, the node id will persist across cluster | ||
| restarts and the administrator has no handle to change it. |
There was a problem hiding this comment.
The "has no handle to change it" is a bit unclear to me. Can we just say, "cannot change it"?
| to 6.5.0. Between the two, the contents are identical, therefore it is recommended | ||
| to disable the `<clustername>_access.log` output. For this, turn off the | ||
| logger in the `log4j2.properties` config file from `ES_PATH_CONF`. (hint: look | ||
| out for a comment in the config file). |
There was a problem hiding this comment.
This might be too much information for such a high-level introductory page. i.e. since it's covered in the linked logfile page, I think you could just cut off after the "...is also generated" sentence.
| Specifies whether to include the node's host name in the local node info. The | ||
| default value is `false`. | ||
| `xpack.security.audit.logfile.emit_node_name`:: | ||
| Specifies whether to include the <<node-name, node name>> as a field in each |
There was a problem hiding this comment.
This link fails when I build the documentation. Are you trying to link to https://www.elastic.co/guide/en/elasticsearch/reference/master/node.name.html ?
There was a problem hiding this comment.
replaced with {ref}/node.name.html[node name]
| `xpack.security.audit.logfile.emit_node_id`:: | ||
| Specifies whether to include the node id as a field in each audit event. | ||
| This is available for the new format only. | ||
| Unlike <<node-name, node name>>, whose value might change if the administrator |
There was a problem hiding this comment.
This "node-name" link also fails. If you let me know what you're trying to link to, I can help fix it
There was a problem hiding this comment.
replaced with {ref}/node.name.html[node name]
There was a problem hiding this comment.
I've submitted some suggestions, but once those are applied or discarded (per https://help.github.com/articles/incorporating-feedback-in-your-pull-request/#applying-a-suggested-change), it LGTM
Co-Authored-By: albertzaharovits <albert.zaharovits@gmail.com>
Co-Authored-By: albertzaharovits <albert.zaharovits@gmail.com>
Co-Authored-By: albertzaharovits <albert.zaharovits@gmail.com>
Co-Authored-By: albertzaharovits <albert.zaharovits@gmail.com>
Co-Authored-By: albertzaharovits <albert.zaharovits@gmail.com>
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
* 'master' of github.com:elastic/elasticsearch: Fix line length for org.elasticsearch.common.* files (elastic#34888) [ML] Extract common native process base class (elastic#34856) Refactor children aggregator into a generic ParentJoinAggregator (elastic#34845) [Style] Fix line lengths in action.admin.indices (elastic#34890) HLRC - add support for source exists API (elastic#34519) [CCR] Retry when no index shard stats can be found (elastic#34852) [Docs] audit logfile structured format (elastic#34584) [Test] Fix FullClusterRestartIT.testShrink() with copy_settings param (elastic#34853) Fix LineLength Check Suppressions: index.fielddata (elastic#34891) TEST: Stablize Minio Free Port Search (elastic#34894) Delete flaky SettingsBasedHostProviderIT test (elastic#34813) [ML] Include message in field_stats for text log files (elastic#34861) [TEST] HLRC: Expand failure messages in API checks (elastic#34838) Lowercase static final DeprecationLogger instance names (elastic#34887)
Documents the new structured logfile format for auditing that was introduced by #31931. Most changes herein are for 6.x . In 7.0 the deprecated format is gone and a follow-up PR is in order.
This is the docs part of the following work on structured logfile auditing:
#31931
#34475
It documents the format and file name changes.
This PR is geared towards the 6.x branch.
It will be followed by another one PR that will completely forget
the deprecated format (and will describe this as a breaking change,
as has been suggested here #34475 (review))