Audit log not getting

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
I am using Opensearch 2.11.0 version on RPM machine(Red HAT) . After enabling the audit log and configuring the required audit log setting,I have executed few queries but I am not getting audit logs. Please let me know if anything I am missing.


I did below configuration for audit log in opensearch.yml file internal_opensearch

Configuration for audit log in audit.yml file kibanaserver true true NONE NONE true

Relevant Logs or Screenshots:

Hi team,

Can you please guide me for above query ?

Hi @Ashish,

Could you please run GET _cat/indices/*auditlog* in your Dev Tools (or any convenient way for you) and share the output?


Below Response I am getting while executing GET _cat/indices/auditlog

yellow open auditlog-2023.10.20 fQhc4-jPQDytQtnS-1GHIw 1 1 1 0 12.7kb 12.7kb
yellow open auditlog-2023.11.02 5WZifgOfS1KBWeybUgat4g 1 1 13 0 97.4kb 97.4kb
yellow open auditlog-2023.11.03 dh3_2RF4S2er_RBolGUJsw 1 1 4004 0 1.8mb 1.8mb
yellow open auditlog-2023.11.06 o2E_hK1HT8udnmcFZnaFaA 1 1 16350 0 4.5mb 4.5mb
yellow open auditlog-2023.10.27 zrjdJ9G1QqSD5a9ZqnxM_w 1 1 4 0 50.8kb 50.8kb
yellow open security-auditlog-2023.10.26 5l7ps_ujSCWkCZE2Iz49hw 1 1 2 0 32kb 32kb
yellow open auditlog-2023.10.26 FmIe2hVpSsWg-nBeylrIcg 1 1 16 0 120.6kb 120.6kb
yellow open security-auditlog-2023.10.19 XuSi47fiRDCVD2TO6jXxAQ 1 1 4 0 61kb 61kb

But my questions here where I can see this audit log file in OpenSearch application on backend means in which directory .

I am looking at /var/log/opensearch directory at this location I am unable to get any files related to audit log

If the internal_opensearch is used the audit logs are stored locally (same cluster) in the index " index named (security-)auditlog-YYYY.MM.dd:"` more details here: Audit logs - OpenSearch documentation

If you would like to store your audit logs in files or other different means, please check here: Audit log storage types - OpenSearch documentation

let me know if you have any further questions.


I have used internal-opensearch for that I am not getting and created index “'security-auditlog-'YYYY.MM.dd” using below configuration in opensearch.yml “'security-auditlog-'YYYY.MM.dd”

But unable to find any log file as security-auditlog-*

It is stored in indexes, not in files.

You can use log4j to get logs to files: Audit log storage types - OpenSearch documentation

Using log4j also, I am unable to find any audit log file.

checking logs at /var/log/opensearch directory

Hi @Ashish,

Could you please share your configuration in opensearch.yml and log4j?