Audit Log not working

Audit logging is working for internal_elasticsearch but not for log4j. logs are not written in audit log file. Can you check below whether am i missing anything? Thanks

After enabling audit logging in elasticsearch.yml,

opendistro_security.audit.type: log4j
opendistro_security.audit.config.log4j.logger_name: es_audit
opendistro_security.audit.config.log4j.level: INFO
opendistro_security.audit.enable_rest: true
opendistro_security.audit.enable_transport: true
opendistro_security.audit.ignore_users: NONE

tried the below option in log4j2.properties

appender.audit_logging_rolling.type = RollingFile
appender.audit_logging_rolling.name = audit_logging_rolling
appender.audit_logging_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}es_audit.json
appender.audit_logging_rolling.layout.type = PatternLayout
appender.audit_logging_rolling.layout.type_name = audit_logging

appender.audit_logging_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}es_audit-%d{yyyy-MM-dd}-%i.json
appender.audit_logging_rolling.policies.type = Policies
appender.audit_logging_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.audit_logging_rolling.policies.size.size = 256MB
appender.audit_logging_rolling.strategy.type = DefaultRolloverStrategy
appender.audit_logging_rolling.strategy.max = 5

logger.audit_logging.name = com.amazon.opendistroforelasticsearch.security
logger.audit_logging.level = info
logger.audit_logging.appenderRef.audit_logging_rolling.ref = audit_logging_rolling
logger.audit_logging.additivity = false

@chelambarasan Did you manage to get this resolved?

I just ran a quick test using latest odfe version and got it working using below config for log4j.properties


# Declare loggers
name=LoggingConfig
appenders=a_console, a_rolling
rootLogger.level=info
rootLogger.appenderRefs=ar_console,ar_rolling
rootLogger.appenderRef.ar_console.ref=StdoutAppender
rootLogger.appenderRef.ar_rolling.ref=DailyRollingAppender

# Console logger
appender.a_console.type=Console
appender.a_console.name=StdoutAppender
appender.a_console.layout.type=PatternLayout
appender.a_console.layout.pattern=%d{ISO8601} [%t] %-5p (%F\:%L) - %m%n

# File logger
appender.a_rolling.type=RollingFile
appender.a_rolling.name=DailyRollingAppender
appender.a_rolling.layout.pattern=%d{ISO8601} [%t] %-5p (%F\:%L) - %m%n

appender.a_rolling.fileName=log4j2-sample.log
appender.a_rolling.filePattern=log4j2-sample-%d{yyyy-MM-dd}.log

appender.a_rolling.layout.type=PatternLayout
appender.a_rolling.policies.type=Policies
appender.a_rolling.policies.time.type=TimeBasedTriggeringPolicy
appender.a_rolling.policies.time.interval=1

Can you try this and if it works, should then be able to add further configuration policies.