@@ -7,11 +7,36 @@ the `<clustername>_audit.log` file in the logs directory. To maintain
7
7
compatibility with releases prior to 6.5.0, a `<clustername>_access.log` file
8
8
is also generated. They differ in the output format but the contents
9
9
are similar. For systems that are not ingesting the audit file for search or
10
- analytics it is strongly recommended to only keep the newer format.
11
- Turning off the deprecated output format can be achieved by disabling the logger
12
- in the `log4j2.properties` file (hint: there is a config comment
13
- about it).
14
- For more information, see {ref}/logging.html#configuring-logging-levels[configuring-logging].
10
+ analytics it is strongly recommended to keep only the newer format.
11
+
12
+ To turn off the deprecated output format, you can disable the logger in the
13
+ `log4j2.properties` file:
14
+
15
+ [source, properties]
16
+ --------------------------------------------------
17
+ # change info to off
18
+ # logger.xpack_security_audit_deprecated_logfile.level = info
19
+ logger.xpack_security_audit_deprecated_logfile.level = off
20
+ --------------------------------------------------
21
+
22
+ Alternatively, use the
23
+ {ref}/cluster-update-settings.html[cluster update settings API] to dynamically
24
+ configure the logger:
25
+
26
+ [source,js]
27
+ --------------------------------------------------
28
+ PUT /_cluster/settings
29
+ {
30
+ "persistent": {
31
+ "logger.org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail": "off"
32
+ }
33
+ }
34
+ --------------------------------------------------
35
+ // CONSOLE
36
+
37
+ NOTE: If you overwrite the `log4j2.properties` and do not specify appenders for
38
+ any of the audit trails, audit events are forwarded to the root appender, which
39
+ by default points to the `elasticsearch.log` file.
15
40
16
41
17
42
[float]
0 commit comments