Opensearch audit to file and index

Hello friends! I need to collect audit information simultaneously in the index and external log file. If i write only to index:
plugins.security.audit.type: opensearch_internal
it’s work fine.
But if I want to write in the log4j configuration:
plugins.security.audit.type: opensearch_internal | log4j
then data collection stops working both in the internal index and an external file is not created. So not working log4j configuration only.

Help me please, have anyone a working config for my situation?
Is t necessary to add something to the config /etc/opensearch/log4j2.properties?

my config for opensearch.yaml:
plugins.security.audit.type: opensearch_internal | log4j
plugins.security.audit.config.log4j.logger_name: auditlogger
plugins.security.audit.config.log4j.level: INFO

Config of log4j2.properties is default.

In 1.x versions I tried this configuration and it worked, but on version 2.1-2.5 not.

Hi @white4spirit,

Thank you for taking the time to file a question on the OpenSearch forum.

When collecting log information using the Security Plugin, you can follow the documentation linked on the website for basic configuration (Audit log storage types - OpenSearch documentation).

I do not see anything on the documentation about using multiple audit outputs at once but it should be possible to pipe the output from opensearch_internal into your log4j configuration. You can find some log4j documentation that may be helpful here.

Note: I see you have written here opensearch_internal it could just be a typo but I believe you want internal_opensearch.

1 Like

Hi @white4spirit , I’m not sure if it will help but I see that you have entered opensearch_internal when the documentation says internal_opensearch. Audit logs - OpenSearch documentation

2 Likes