Audit log filter and marker (elastic#49145)

albertzaharovits · albertzaharovits · commit bbeb3a8b9a10 · 2019-11-15T15:45:30.000+02:00
This adds a log marker and a marker filter for the audit log. Closes elastic#47251
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@@ -6,6 +6,11 @@
 package org.elasticsearch.xpack.security.audit.logfile;
 
 import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.Marker;
+import org.apache.logging.log4j.MarkerManager;
+import org.apache.logging.log4j.core.Filter.Result;
+import org.apache.logging.log4j.core.LoggerContext;
+import org.apache.logging.log4j.core.filter.MarkerFilter;
 import org.apache.logging.log4j.message.StringMapMessage;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.cluster.ClusterChangedEvent;
@@ -16,6 +21,7 @@
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.MapBuilder;
 import org.elasticsearch.common.component.AbstractComponent;
+import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
@@ -33,6 +39,7 @@
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.user.XPackUser;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.audit.AuditLevel;
 import org.elasticsearch.xpack.security.audit.AuditTrail;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
@@ -157,6 +164,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,
             "indices",
             (key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));
 
+    private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");
+
     private final Logger logger;
     private final ThreadContext threadContext;
     final EventFilterPolicyRegistry eventFilterPolicyRegistry;
@@ -172,7 +181,7 @@ public String name() {
     }
 
     public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
-        this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());
+        this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
     }
 
     LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
@@ -214,6 +223,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa
             final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);
             this.eventFilterPolicyRegistry.set(policyName, newPolicy);
         }, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));
+        // this log filter ensures that audit events are not filtered out because of the log level
+        final LoggerContext ctx = LoggerContext.getContext(false);
+        MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);
+        ctx.addFilter(auditMarkerFilter);
+        ctx.updateLoggers();
+        clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {
+            LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");
+        }, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));
     }
 
     @Override
@@ -232,7 +249,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -255,7 +272,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -277,7 +294,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -296,7 +313,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -318,7 +335,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -336,7 +353,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -357,7 +374,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -377,7 +394,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -400,7 +417,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -421,7 +438,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -447,7 +464,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin
                         .withXForwardedFor(threadContext)
                         .with(authorizationInfo.asMap())
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -487,7 +504,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut
                         .with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
                         .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));
                 }
-                logger.info(logEntryBuilder.build());
+                logger.info(AUDIT_MARKER, logEntryBuilder.build());
             }
         }
     }
@@ -512,7 +529,7 @@ public void accessDenied(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -530,7 +547,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -551,7 +568,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -574,7 +591,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -593,7 +610,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -611,7 +628,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -635,7 +652,7 @@ public void runAsGranted(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -660,7 +677,7 @@ public void runAsDenied(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -682,7 +699,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -197,7 +197,7 @@ public void init() throws Exception {
             threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,
                     randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));
         }
-        logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);
+        logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);
         auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,11 @@`
`6`	`6`	`package org.elasticsearch.xpack.security.audit.logfile;`
`7`	`7`
`8`	`8`	`import org.apache.logging.log4j.Logger;`
	`9`	`+import org.apache.logging.log4j.Marker;`
	`10`	`+import org.apache.logging.log4j.MarkerManager;`
	`11`	`+import org.apache.logging.log4j.core.Filter.Result;`
	`12`	`+import org.apache.logging.log4j.core.LoggerContext;`
	`13`	`+import org.apache.logging.log4j.core.filter.MarkerFilter;`
`9`	`14`	`import org.apache.logging.log4j.message.StringMapMessage;`
`10`	`15`	`import org.elasticsearch.action.IndicesRequest;`
`11`	`16`	`import org.elasticsearch.cluster.ClusterChangedEvent;`
`@@ -16,6 +21,7 @@`
`16`	`21`	`import org.elasticsearch.common.Strings;`
`17`	`22`	`import org.elasticsearch.common.collect.MapBuilder;`
`18`	`23`	`import org.elasticsearch.common.component.AbstractComponent;`
	`24`	`+import org.elasticsearch.common.logging.Loggers;`
`19`	`25`	`import org.elasticsearch.common.network.NetworkAddress;`
`20`	`26`	`import org.elasticsearch.common.settings.Setting;`
`21`	`27`	`import org.elasticsearch.common.settings.Setting.Property;`
`@@ -33,6 +39,7 @@`
`33`	`39`	`import org.elasticsearch.xpack.core.security.user.SystemUser;`
`34`	`40`	`import org.elasticsearch.xpack.core.security.user.User;`
`35`	`41`	`import org.elasticsearch.xpack.core.security.user.XPackUser;`
	`42`	`+import org.elasticsearch.xpack.security.Security;`
`36`	`43`	`import org.elasticsearch.xpack.security.audit.AuditLevel;`
`37`	`44`	`import org.elasticsearch.xpack.security.audit.AuditTrail;`
`38`	`45`	`import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;`
`@@ -157,6 +164,8 @@ public class LoggingAuditTrail extends AbstractComponent implements AuditTrail,`
`157`	`164`	`"indices",`
`158`	`165`	`(key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));`
`159`	`166`
	`167`	`+ private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");`
	`168`	`+`
`160`	`169`	`private final Logger logger;`
`161`	`170`	`private final ThreadContext threadContext;`
`162`	`171`	`final EventFilterPolicyRegistry eventFilterPolicyRegistry;`
`@@ -172,7 +181,7 @@ public String name() {`
`172`	`181`	`}`
`173`	`182`
`174`	`183`	`public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {`
`175`		`- this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());`
	`184`	`+ this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());`
`176`	`185`	`}`
`177`	`186`
`178`	`187`	`LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {`
`@@ -214,6 +223,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa`
`214`	`223`	`final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);`
`215`	`224`	`this.eventFilterPolicyRegistry.set(policyName, newPolicy);`
`216`	`225`	`}, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));`
	`226`	`+ // this log filter ensures that audit events are not filtered out because of the log level`
	`227`	`+ final LoggerContext ctx = LoggerContext.getContext(false);`
	`228`	`+ MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);`
	`229`	`+ ctx.addFilter(auditMarkerFilter);`
	`230`	`+ ctx.updateLoggers();`
	`231`	`+ clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {`
	`232`	`+ LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");`
	`233`	`+ }, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));`
`217`	`234`	`}`
`218`	`235`
`219`	`236`	`@Override`
`@@ -232,7 +249,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res`
`232`	`249`	`.withOpaqueId(threadContext)`
`233`	`250`	`.withXForwardedFor(threadContext)`
`234`	`251`	`.build();`
`235`		`- logger.info(logEntry);`
	`252`	`+ logger.info(AUDIT_MARKER, logEntry);`
`236`	`253`	`}`
`237`	`254`	`}`
`238`	`255`
`@@ -255,7 +272,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str`
`255`	`272`	`.withOpaqueId(threadContext)`
`256`	`273`	`.withXForwardedFor(threadContext)`
`257`	`274`	`.build();`
`258`		`- logger.info(logEntry);`
	`275`	`+ logger.info(AUDIT_MARKER, logEntry);`
`259`	`276`	`}`
`260`	`277`	`}`
`261`	`278`	`}`
`@@ -277,7 +294,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess`
`277`	`294`	`.withOpaqueId(threadContext)`
`278`	`295`	`.withXForwardedFor(threadContext)`
`279`	`296`	`.build();`
`280`		`- logger.info(logEntry);`
	`297`	`+ logger.info(AUDIT_MARKER, logEntry);`
`281`	`298`	`}`
`282`	`299`	`}`
`283`	`300`	`}`
`@@ -296,7 +313,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {`
`296`	`313`	`.withOpaqueId(threadContext)`
`297`	`314`	`.withXForwardedFor(threadContext)`
`298`	`315`	`.build();`
`299`		`- logger.info(logEntry);`
	`316`	`+ logger.info(AUDIT_MARKER, logEntry);`
`300`	`317`	`}`
`301`	`318`	`}`
`302`	`319`
`@@ -318,7 +335,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St`
`318`	`335`	`.withOpaqueId(threadContext)`
`319`	`336`	`.withXForwardedFor(threadContext)`
`320`	`337`	`.build();`
`321`		`- logger.info(logEntry);`
	`338`	`+ logger.info(AUDIT_MARKER, logEntry);`
`322`	`339`	`}`
`323`	`340`	`}`
`324`	`341`	`}`
`@@ -336,7 +353,7 @@ public void authenticationFailed(String requestId, RestRequest request) {`
`336`	`353`	`.withOpaqueId(threadContext)`
`337`	`354`	`.withXForwardedFor(threadContext)`
`338`	`355`	`.build();`
`339`		`- logger.info(logEntry);`
	`356`	`+ logger.info(AUDIT_MARKER, logEntry);`
`340`	`357`	`}`
`341`	`358`	`}`
`342`	`359`
`@@ -357,7 +374,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa`
`357`	`374`	`.withOpaqueId(threadContext)`
`358`	`375`	`.withXForwardedFor(threadContext)`
`359`	`376`	`.build();`
`360`		`- logger.info(logEntry);`
	`377`	`+ logger.info(AUDIT_MARKER, logEntry);`
`361`	`378`	`}`
`362`	`379`	`}`
`363`	`380`	`}`
`@@ -377,7 +394,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re`
`377`	`394`	`.withOpaqueId(threadContext)`
`378`	`395`	`.withXForwardedFor(threadContext)`
`379`	`396`	`.build();`
`380`		`- logger.info(logEntry);`
	`397`	`+ logger.info(AUDIT_MARKER, logEntry);`
`381`	`398`	`}`
`382`	`399`	`}`
`383`	`400`
`@@ -400,7 +417,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT`
`400`	`417`	`.withOpaqueId(threadContext)`
`401`	`418`	`.withXForwardedFor(threadContext)`
`402`	`419`	`.build();`
`403`		`- logger.info(logEntry);`
	`420`	`+ logger.info(AUDIT_MARKER, logEntry);`
`404`	`421`	`}`
`405`	`422`	`}`
`406`	`423`	`}`
`@@ -421,7 +438,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT`
`421`	`438`	`.withOpaqueId(threadContext)`
`422`	`439`	`.withXForwardedFor(threadContext)`
`423`	`440`	`.build();`
`424`		`- logger.info(logEntry);`
	`441`	`+ logger.info(AUDIT_MARKER, logEntry);`
`425`	`442`	`}`
`426`	`443`	`}`
`427`	`444`
`@@ -447,7 +464,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin`
`447`	`464`	`.withXForwardedFor(threadContext)`
`448`	`465`	`.with(authorizationInfo.asMap())`
`449`	`466`	`.build();`
`450`		`- logger.info(logEntry);`
	`467`	`+ logger.info(AUDIT_MARKER, logEntry);`
`451`	`468`	`}`
`452`	`469`	`}`
`453`	`470`	`}`
`@@ -487,7 +504,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut`
`487`	`504`	`.with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)`
`488`	`505`	`.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));`
`489`	`506`	`}`
`490`		`- logger.info(logEntryBuilder.build());`
	`507`	`+ logger.info(AUDIT_MARKER, logEntryBuilder.build());`
`491`	`508`	`}`
`492`	`509`	`}`
`493`	`510`	`}`
`@@ -512,7 +529,7 @@ public void accessDenied(String requestId, Authentication authentication, String`
`512`	`529`	`.withOpaqueId(threadContext)`
`513`	`530`	`.withXForwardedFor(threadContext)`
`514`	`531`	`.build();`
`515`		`- logger.info(logEntry);`
	`532`	`+ logger.info(AUDIT_MARKER, logEntry);`
`516`	`533`	`}`
`517`	`534`	`}`
`518`	`535`	`}`
`@@ -530,7 +547,7 @@ public void tamperedRequest(String requestId, RestRequest request) {`
`530`	`547`	`.withOpaqueId(threadContext)`
`531`	`548`	`.withXForwardedFor(threadContext)`
`532`	`549`	`.build();`
`533`		`- logger.info(logEntry);`
	`550`	`+ logger.info(AUDIT_MARKER, logEntry);`
`534`	`551`	`}`
`535`	`552`	`}`
`536`	`553`
`@@ -551,7 +568,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me`
`551`	`568`	`.withOpaqueId(threadContext)`
`552`	`569`	`.withXForwardedFor(threadContext)`
`553`	`570`	`.build();`
`554`		`- logger.info(logEntry);`
	`571`	`+ logger.info(AUDIT_MARKER, logEntry);`
`555`	`572`	`}`
`556`	`573`	`}`
`557`	`574`	`}`
`@@ -574,7 +591,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor`
`574`	`591`	`.withOpaqueId(threadContext)`
`575`	`592`	`.withXForwardedFor(threadContext)`
`576`	`593`	`.build();`
`577`		`- logger.info(logEntry);`
	`594`	`+ logger.info(AUDIT_MARKER, logEntry);`
`578`	`595`	`}`
`579`	`596`	`}`
`580`	`597`	`}`
`@@ -593,7 +610,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI`
`593`	`610`	`.withOpaqueId(threadContext)`
`594`	`611`	`.withXForwardedFor(threadContext)`
`595`	`612`	`.build();`
`596`		`- logger.info(logEntry);`
	`613`	`+ logger.info(AUDIT_MARKER, logEntry);`
`597`	`614`	`}`
`598`	`615`	`}`
`599`	`616`
`@@ -611,7 +628,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp`
`611`	`628`	`.withOpaqueId(threadContext)`
`612`	`629`	`.withXForwardedFor(threadContext)`
`613`	`630`	`.build();`
`614`		`- logger.info(logEntry);`
	`631`	`+ logger.info(AUDIT_MARKER, logEntry);`
`615`	`632`	`}`
`616`	`633`	`}`
`617`	`634`
`@@ -635,7 +652,7 @@ public void runAsGranted(String requestId, Authentication authentication, String`
`635`	`652`	`.withOpaqueId(threadContext)`
`636`	`653`	`.withXForwardedFor(threadContext)`
`637`	`654`	`.build();`
`638`		`- logger.info(logEntry);`
	`655`	`+ logger.info(AUDIT_MARKER, logEntry);`
`639`	`656`	`}`
`640`	`657`	`}`
`641`	`658`	`}`
`@@ -660,7 +677,7 @@ public void runAsDenied(String requestId, Authentication authentication, String`
`660`	`677`	`.withOpaqueId(threadContext)`
`661`	`678`	`.withXForwardedFor(threadContext)`
`662`	`679`	`.build();`
`663`		`- logger.info(logEntry);`
	`680`	`+ logger.info(AUDIT_MARKER, logEntry);`
`664`	`681`	`}`
`665`	`682`	`}`
`666`	`683`	`}`
`@@ -682,7 +699,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq`
`682`	`699`	`.withOpaqueId(threadContext)`
`683`	`700`	`.withXForwardedFor(threadContext)`
`684`	`701`	`.build();`
`685`		`- logger.info(logEntry);`
	`702`	`+ logger.info(AUDIT_MARKER, logEntry);`
`686`	`703`	`}`
`687`	`704`	`}`
`688`	`705`
Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,7 @@ public void init() throws Exception {`
`197`	`197`	`threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,`
`198`	`198`	`randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));`
`199`	`199`	`}`
`200`		`- logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);`
	`200`	`+ logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);`
`201`	`201`	`auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);`
`202`	`202`	`}`
`203`	`203`