4 # log action execution errors for easier debugging
5 logger.action.name = org.elasticsearch.action
6 logger.action.level = debug
8 appender.console.type = Console
9 appender.console.name = console
10 appender.console.layout.type = PatternLayout
11 appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%m%n
13 appender.rolling.type = RollingFile
14 appender.rolling.name = rolling
15 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
16 appender.rolling.layout.type = PatternLayout
17 appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n
18 appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log.gz
19 appender.rolling.policies.type = Policies
20 appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
21 appender.rolling.policies.time.interval = 1
22 appender.rolling.policies.time.modulate = true
23 appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
24 appender.rolling.policies.size.size = 128MB
25 appender.rolling.strategy.type = DefaultRolloverStrategy
26 appender.rolling.strategy.fileIndex = nomax
27 appender.rolling.strategy.action.type = Delete
28 appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path}
29 appender.rolling.strategy.action.condition.type = IfFileName
30 appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
31 appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
32 appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
34 rootLogger.level = info
35 rootLogger.appenderRef.console.ref = console
36 rootLogger.appenderRef.rolling.ref = rolling
38 appender.deprecation_rolling.type = RollingFile
39 appender.deprecation_rolling.name = deprecation_rolling
40 appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log
41 appender.deprecation_rolling.layout.type = PatternLayout
42 appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] %marker%.-10000m%n
43 appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz
44 appender.deprecation_rolling.policies.type = Policies
45 appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
46 appender.deprecation_rolling.policies.size.size = 1GB
47 appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
48 appender.deprecation_rolling.strategy.max = 4
50 logger.deprecation.name = org.elasticsearch.deprecation
51 logger.deprecation.level = info
52 logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
53 logger.deprecation.additivity = false
55 appender.index_search_slowlog_rolling.type = RollingFile
56 appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
57 appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log
58 appender.index_search_slowlog_rolling.layout.type = PatternLayout
59 appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
60 appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%d{yyyy-MM-dd}.log.gz
61 appender.index_search_slowlog_rolling.policies.type = Policies
62 appender.index_search_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy
63 appender.index_search_slowlog_rolling.policies.time.interval = 1
64 appender.index_search_slowlog_rolling.policies.time.modulate = true
66 logger.index_search_slowlog_rolling.name = index.search.slowlog
67 logger.index_search_slowlog_rolling.level = trace
68 logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
69 logger.index_search_slowlog_rolling.additivity = false
71 appender.index_indexing_slowlog_rolling.type = RollingFile
72 appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
73 appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log
74 appender.index_indexing_slowlog_rolling.layout.type = PatternLayout
75 appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
76 appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%d{yyyy-MM-dd}.log.gz
77 appender.index_indexing_slowlog_rolling.policies.type = Policies
78 appender.index_indexing_slowlog_rolling.policies.time.type = TimeBasedTriggeringPolicy
79 appender.index_indexing_slowlog_rolling.policies.time.interval = 1
80 appender.index_indexing_slowlog_rolling.policies.time.modulate = true
82 logger.index_indexing_slowlog.name = index.indexing.slowlog.index
83 logger.index_indexing_slowlog.level = trace
84 logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
85 logger.index_indexing_slowlog.additivity = false
88 appender.audit_rolling.type = RollingFile
89 appender.audit_rolling.name = audit_rolling
90 appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.log
91 appender.audit_rolling.layout.type = PatternLayout
92 appender.audit_rolling.layout.pattern = {\
93 "@timestamp":"%d{ISO8601}"\
94 %varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\
95 %varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\
96 %varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\
97 %varsNotEmpty{, "host.ip":"%enc{%map{host.ip}}{JSON}"}\
98 %varsNotEmpty{, "event.type":"%enc{%map{event.type}}{JSON}"}\
99 %varsNotEmpty{, "event.action":"%enc{%map{event.action}}{JSON}"}\
100 %varsNotEmpty{, "user.name":"%enc{%map{user.name}}{JSON}"}\
101 %varsNotEmpty{, "user.run_by.name":"%enc{%map{user.run_by.name}}{JSON}"}\
102 %varsNotEmpty{, "user.run_as.name":"%enc{%map{user.run_as.name}}{JSON}"}\
103 %varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\
104 %varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\
105 %varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\
106 %varsNotEmpty{, "user.roles":%map{user.roles}}\
107 %varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\
108 %varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\
109 %varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\
110 %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\
111 %varsNotEmpty{, "url.query":"%enc{%map{url.query}}{JSON}"}\
112 %varsNotEmpty{, "request.body":"%enc{%map{request.body}}{JSON}"}\
113 %varsNotEmpty{, "action":"%enc{%map{action}}{JSON}"}\
114 %varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\
115 %varsNotEmpty{, "indices":%map{indices}}\
116 %varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\
117 %varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\
118 %varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\
119 %varsNotEmpty{, "event.category":"%enc{%map{event.category}}{JSON}"}\
121 # "node.name" node name from the `elasticsearch.yml` settings
122 # "node.id" node id which should not change between cluster restarts
123 # "host.name" unresolved hostname of the local node
124 # "host.ip" the local bound ip (i.e. the ip listening for connections)
125 # "event.type" a received REST request is translated into one or more transport requests. This indicates which processing layer generated the event "rest" or "transport" (internal)
126 # "event.action" the name of the audited event, eg. "authentication_failed", "access_granted", "run_as_granted", etc.
127 # "user.name" the subject name as authenticated by a realm
128 # "user.run_by.name" the original authenticated subject name that is impersonating another one.
129 # "user.run_as.name" if this "event.action" is of a run_as type, this is the subject name to be impersonated as.
130 # "user.realm" the name of the realm that authenticated "user.name"
131 # "user.run_by.realm" the realm name of the impersonating subject ("user.run_by.name")
132 # "user.run_as.realm" if this "event.action" is of a run_as type, this is the realm name the impersonated user is looked up from
133 # "user.roles" the roles array of the user; these are the roles that are granting privileges
134 # "origin.type" it is "rest" if the event is originating (is in relation to) a REST request; possible other values are "transport" and "ip_filter"
135 # "origin.address" the remote address and port of the first network hop, i.e. a REST proxy or another cluster node
136 # "realm" name of a realm that has generated an "authentication_failed" or an "authentication_successful"; the subject is not yet authenticated
137 # "url.path" the URI component between the port and the query string; it is percent (URL) encoded
138 # "url.query" the URI component after the path and before the fragment; it is percent (URL) encoded
139 # "request.body" the content of the request body entity, JSON escaped
140 # "action" an action is the most granular operation that is authorized and this identifies it in a namespaced way (internal)
141 # "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal)
142 # "indices" the array of indices that the "action" is acting upon
143 # "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header
144 # "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event
145 # "rule" name of the applied rulee if the "origin.type" is "ip_filter"
146 # "event.category" fixed value "elasticsearch-audit"
148 appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.log
149 appender.audit_rolling.policies.type = Policies
150 appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
151 appender.audit_rolling.policies.time.interval = 1
152 appender.audit_rolling.policies.time.modulate = true
154 appender.deprecated_audit_rolling.type = RollingFile
155 appender.deprecated_audit_rolling.name = deprecated_audit_rolling
156 appender.deprecated_audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
157 appender.deprecated_audit_rolling.layout.type = PatternLayout
158 appender.deprecated_audit_rolling.layout.pattern = [%d{ISO8601}] %m%n
159 appender.deprecated_audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
160 appender.deprecated_audit_rolling.policies.type = Policies
161 appender.deprecated_audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
162 appender.deprecated_audit_rolling.policies.time.interval = 1
163 appender.deprecated_audit_rolling.policies.time.modulate = true
165 logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
166 logger.xpack_security_audit_logfile.level = info
167 logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
168 logger.xpack_security_audit_logfile.additivity = false
170 logger.xpack_security_audit_deprecated_logfile.name = org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail
171 # set this to "off" instead of "info" to disable the deprecated appender
172 # in the 6.x releases both the new and the previous appenders are enabled
173 # for the logfile auditing
174 logger.xpack_security_audit_deprecated_logfile.level = info
175 logger.xpack_security_audit_deprecated_logfile.appenderRef.deprecated_audit_rolling.ref = deprecated_audit_rolling
176 logger.xpack_security_audit_deprecated_logfile.additivity = false
178 logger.xmlsig.name = org.apache.xml.security.signature.XMLSignature
179 logger.xmlsig.level = error
180 logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter
181 logger.samlxml_decrypt.level = fatal
182 logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter
183 logger.saml2_decrypt.level = fatal