Audit logging is working for internal_elasticsearch but not for log4j. logs are not written in audit log file. Can you check below whether am i missing anything? Thanks
After enabling audit logging in elasticsearch.yml,
opendistro_security.audit.type: log4j
opendistro_security.audit.config.log4j.logger_name: es_audit
opendistro_security.audit.config.log4j.level: INFO
opendistro_security.audit.enable_rest: true
opendistro_security.audit.enable_transport: true
opendistro_security.audit.ignore_users: NONE
tried the below option in log4j2.properties
appender.audit_logging_rolling.type = RollingFile
appender.audit_logging_rolling.name = audit_logging_rolling
appender.audit_logging_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}es_audit.json
appender.audit_logging_rolling.layout.type = PatternLayout
appender.audit_logging_rolling.layout.type_name = audit_logging
appender.audit_logging_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}es_audit-%d{yyyy-MM-dd}-%i.json
appender.audit_logging_rolling.policies.type = Policies
appender.audit_logging_rolling.policies.size.type = SizeBasedTriggeringPolicy
appender.audit_logging_rolling.policies.size.size = 256MB
appender.audit_logging_rolling.strategy.type = DefaultRolloverStrategy
appender.audit_logging_rolling.strategy.max = 5
logger.audit_logging.name = com.amazon.opendistroforelasticsearch.security
logger.audit_logging.level = info
logger.audit_logging.appenderRef.audit_logging_rolling.ref = audit_logging_rolling
logger.audit_logging.additivity = false