status = error appender.console.type = Console appender.console.name = console appender.console.layout.type = PatternLayout appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%consoleException%n ######## Server JSON ############################ appender.rolling.type = RollingFile appender.rolling.name = rolling appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_server.json appender.rolling.layout.type = ECSJsonLayout appender.rolling.layout.dataset = elasticsearch.server appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.json.gz appender.rolling.policies.type = Policies appender.rolling.policies.time.type = TimeBasedTriggeringPolicy appender.rolling.policies.time.interval = 1 appender.rolling.policies.time.modulate = true appender.rolling.policies.size.type = SizeBasedTriggeringPolicy appender.rolling.policies.size.size = 128MB appender.rolling.strategy.type = DefaultRolloverStrategy appender.rolling.strategy.fileIndex = nomax appender.rolling.strategy.action.type = Delete appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path} appender.rolling.strategy.action.condition.type = IfFileName appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB ################################################ ######## Server - old style pattern ########### appender.rolling_old.type = RollingFile appender.rolling_old.name = rolling_old appender.rolling_old.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log appender.rolling_old.layout.type = PatternLayout appender.rolling_old.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n appender.rolling_old.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz appender.rolling_old.policies.type = Policies appender.rolling_old.policies.time.type = TimeBasedTriggeringPolicy appender.rolling_old.policies.time.interval = 1 appender.rolling_old.policies.time.modulate = true appender.rolling_old.policies.size.type = SizeBasedTriggeringPolicy appender.rolling_old.policies.size.size = 128MB appender.rolling_old.strategy.type = DefaultRolloverStrategy appender.rolling_old.strategy.fileIndex = nomax appender.rolling_old.strategy.action.type = Delete appender.rolling_old.strategy.action.basepath = ${sys:es.logs.base_path} appender.rolling_old.strategy.action.condition.type = IfFileName appender.rolling_old.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-* appender.rolling_old.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize appender.rolling_old.strategy.action.condition.nested_condition.exceeds = 2GB ################################################ rootLogger.level = info rootLogger.appenderRef.console.ref = console rootLogger.appenderRef.rolling.ref = rolling rootLogger.appenderRef.rolling_old.ref = rolling_old ######## Deprecation JSON ####################### appender.deprecation_rolling.type = RollingFile appender.deprecation_rolling.name = deprecation_rolling appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.json appender.deprecation_rolling.layout.type = ECSJsonLayout # Intentionally follows a different pattern to above appender.deprecation_rolling.layout.dataset = deprecation.elasticsearch appender.deprecation_rolling.filter.rate_limit.type = RateLimitingFilter appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.json.gz appender.deprecation_rolling.policies.type = Policies appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.deprecation_rolling.policies.size.size = 1GB appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy appender.deprecation_rolling.strategy.max = 4 appender.header_warning.type = HeaderWarningAppender appender.header_warning.name = header_warning ################################################# logger.deprecation.name = org.elasticsearch.deprecation logger.deprecation.level = WARN logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling logger.deprecation.appenderRef.header_warning.ref = header_warning logger.deprecation.additivity = false ######## Search slowlog JSON #################### appender.index_search_slowlog_rolling.type = RollingFile appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ .cluster_name}_index_search_slowlog.json appender.index_search_slowlog_rolling.layout.type = ECSJsonLayout appender.index_search_slowlog_rolling.layout.dataset = elasticsearch.index_search_slowlog appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs\ .cluster_name}_index_search_slowlog-%i.json.gz appender.index_search_slowlog_rolling.policies.type = Policies appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.index_search_slowlog_rolling.policies.size.size = 1GB appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy appender.index_search_slowlog_rolling.strategy.max = 4 ################################################# ################################################# logger.index_search_slowlog_rolling.name = index.search.slowlog logger.index_search_slowlog_rolling.level = trace logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling logger.index_search_slowlog_rolling.additivity = false ######## Indexing slowlog JSON ################## appender.index_indexing_slowlog_rolling.type = RollingFile appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ _index_indexing_slowlog.json appender.index_indexing_slowlog_rolling.layout.type = ECSJsonLayout appender.index_indexing_slowlog_rolling.layout.dataset = elasticsearch.index_indexing_slowlog appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}\ _index_indexing_slowlog-%i.json.gz appender.index_indexing_slowlog_rolling.policies.type = Policies appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.index_indexing_slowlog_rolling.policies.size.size = 1GB appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy appender.index_indexing_slowlog_rolling.strategy.max = 4 ################################################# logger.index_indexing_slowlog.name = index.indexing.slowlog.index logger.index_indexing_slowlog.level = trace logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling logger.index_indexing_slowlog.additivity = false logger.org_apache_pdfbox.name = org.apache.pdfbox logger.org_apache_pdfbox.level = off logger.org_apache_poi.name = org.apache.poi logger.org_apache_poi.level = off logger.org_apache_fontbox.name = org.apache.fontbox logger.org_apache_fontbox.level = off logger.org_apache_xmlbeans.name = org.apache.xmlbeans logger.org_apache_xmlbeans.level = off logger.com_amazonaws.name = com.amazonaws logger.com_amazonaws.level = warn logger.com_amazonaws_jmx_SdkMBeanRegistrySupport.name = com.amazonaws.jmx.SdkMBeanRegistrySupport logger.com_amazonaws_jmx_SdkMBeanRegistrySupport.level = error logger.com_amazonaws_metrics_AwsSdkMetrics.name = com.amazonaws.metrics.AwsSdkMetrics logger.com_amazonaws_metrics_AwsSdkMetrics.level = error logger.com_amazonaws_auth_profile_internal_BasicProfileConfigFileLoader.name = com.amazonaws.auth.profile.internal.BasicProfileConfigFileLoader logger.com_amazonaws_auth_profile_internal_BasicProfileConfigFileLoader.level = error logger.com_amazonaws_services_s3_internal_UseArnRegionResolver.name = com.amazonaws.services.s3.internal.UseArnRegionResolver logger.com_amazonaws_services_s3_internal_UseArnRegionResolver.level = error appender.audit_rolling.type = RollingFile appender.audit_rolling.name = audit_rolling appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.json appender.audit_rolling.layout.type = PatternLayout appender.audit_rolling.layout.pattern = {\ "type":"audit", \ "timestamp":"%d{yyyy-MM-dd'T'HH:mm:ss,SSSZ}"\ %varsNotEmpty{, "cluster.name":"%enc{%map{cluster.name}}{JSON}"}\ %varsNotEmpty{, "cluster.uuid":"%enc{%map{cluster.uuid}}{JSON}"}\ %varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\ %varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\ %varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\ %varsNotEmpty{, "host.ip":"%enc{%map{host.ip}}{JSON}"}\ %varsNotEmpty{, "event.type":"%enc{%map{event.type}}{JSON}"}\ %varsNotEmpty{, "event.action":"%enc{%map{event.action}}{JSON}"}\ %varsNotEmpty{, "authentication.type":"%enc{%map{authentication.type}}{JSON}"}\ %varsNotEmpty{, "user.name":"%enc{%map{user.name}}{JSON}"}\ %varsNotEmpty{, "user.run_by.name":"%enc{%map{user.run_by.name}}{JSON}"}\ %varsNotEmpty{, "user.run_as.name":"%enc{%map{user.run_as.name}}{JSON}"}\ %varsNotEmpty{, "user.realm":"%enc{%map{user.realm}}{JSON}"}\ %varsNotEmpty{, "user.realm_domain":"%enc{%map{user.realm_domain}}{JSON}"}\ %varsNotEmpty{, "user.run_by.realm":"%enc{%map{user.run_by.realm}}{JSON}"}\ %varsNotEmpty{, "user.run_by.realm_domain":"%enc{%map{user.run_by.realm_domain}}{JSON}"}\ %varsNotEmpty{, "user.run_as.realm":"%enc{%map{user.run_as.realm}}{JSON}"}\ %varsNotEmpty{, "user.run_as.realm_domain":"%enc{%map{user.run_as.realm_domain}}{JSON}"}\ %varsNotEmpty{, "user.roles":%map{user.roles}}\ %varsNotEmpty{, "apikey.id":"%enc{%map{apikey.id}}{JSON}"}\ %varsNotEmpty{, "apikey.name":"%enc{%map{apikey.name}}{JSON}"}\ %varsNotEmpty{, "authentication.token.name":"%enc{%map{authentication.token.name}}{JSON}"}\ %varsNotEmpty{, "authentication.token.type":"%enc{%map{authentication.token.type}}{JSON}"}\ %varsNotEmpty{, "cross_cluster_access":%map{cross_cluster_access}}\ %varsNotEmpty{, "origin.type":"%enc{%map{origin.type}}{JSON}"}\ %varsNotEmpty{, "origin.address":"%enc{%map{origin.address}}{JSON}"}\ %varsNotEmpty{, "realm":"%enc{%map{realm}}{JSON}"}\ %varsNotEmpty{, "realm_domain":"%enc{%map{realm_domain}}{JSON}"}\ %varsNotEmpty{, "url.path":"%enc{%map{url.path}}{JSON}"}\ %varsNotEmpty{, "url.query":"%enc{%map{url.query}}{JSON}"}\ %varsNotEmpty{, "request.method":"%enc{%map{request.method}}{JSON}"}\ %varsNotEmpty{, "request.body":"%enc{%map{request.body}}{JSON}"}\ %varsNotEmpty{, "request.id":"%enc{%map{request.id}}{JSON}"}\ %varsNotEmpty{, "action":"%enc{%map{action}}{JSON}"}\ %varsNotEmpty{, "request.name":"%enc{%map{request.name}}{JSON}"}\ %varsNotEmpty{, "indices":%map{indices}}\ %varsNotEmpty{, "opaque_id":"%enc{%map{opaque_id}}{JSON}"}\ %varsNotEmpty{, "trace.id":"%enc{%map{trace.id}}{JSON}"}\ %varsNotEmpty{, "x_forwarded_for":"%enc{%map{x_forwarded_for}}{JSON}"}\ %varsNotEmpty{, "transport.profile":"%enc{%map{transport.profile}}{JSON}"}\ %varsNotEmpty{, "rule":"%enc{%map{rule}}{JSON}"}\ %varsNotEmpty{, "put":%map{put}}\ %varsNotEmpty{, "delete":%map{delete}}\ %varsNotEmpty{, "change":%map{change}}\ %varsNotEmpty{, "create":%map{create}}\ %varsNotEmpty{, "invalidate":%map{invalidate}}\ }%n # "node.name" node name from the `elasticsearch.yml` settings # "node.id" node id which should not change between cluster restarts # "host.name" unresolved hostname of the local node # "host.ip" the local bound ip (i.e. the ip listening for connections) # "origin.type" a received REST request is translated into one or more transport requests. This indicates which processing layer generated the event "rest" or "transport" (internal) # "event.action" the name of the audited event, eg. "authentication_failed", "access_granted", "run_as_granted", etc. # "authentication.type" one of "realm", "api_key", "token", "anonymous" or "internal" # "user.name" the subject name as authenticated by a realm # "user.run_by.name" the original authenticated subject name that is impersonating another one. # "user.run_as.name" if this "event.action" is of a run_as type, this is the subject name to be impersonated as. # "user.realm" the name of the realm that authenticated "user.name" # "user.realm_domain" if "user.realm" is under a domain, this is the name of the domain # "user.run_by.realm" the realm name of the impersonating subject ("user.run_by.name") # "user.run_by.realm_domain" if "user.run_by.realm" is under a domain, this is the name of the domain # "user.run_as.realm" if this "event.action" is of a run_as type, this is the realm name the impersonated user is looked up from # "user.run_as.realm_domain" if "user.run_as.realm" is under a domain, this is the name of the domain # "user.roles" the roles array of the user; these are the roles that are granting privileges # "apikey.id" this field is present if and only if the "authentication.type" is "api_key" # "apikey.name" this field is present if and only if the "authentication.type" is "api_key" # "authentication.token.name" this field is present if and only if the authenticating credential is a service account token # "authentication.token.type" this field is present if and only if the authenticating credential is a service account token # "cross_cluster_access" this field is present if and only if the associated authentication occurred cross cluster # "event.type" informs about what internal system generated the event; possible values are "rest", "transport", "ip_filter" and "security_config_change" # "origin.address" the remote address and port of the first network hop, i.e. a REST proxy or another cluster node # "realm" name of a realm that has generated an "authentication_failed" or an "authentication_successful"; the subject is not yet authenticated # "realm_domain" if "realm" is under a domain, this is the name of the domain # "url.path" the URI component between the port and the query string; it is percent (URL) encoded # "url.query" the URI component after the path and before the fragment; it is percent (URL) encoded # "request.method" the method of the HTTP request, i.e. one of GET, POST, PUT, DELETE, OPTIONS, HEAD, PATCH, TRACE, CONNECT # "request.body" the content of the request body entity, JSON escaped # "request.id" a synthetic identifier for the incoming request, this is unique per incoming request, and consistent across all audit events generated by that request # "action" an action is the most granular operation that is authorized and this identifies it in a namespaced way (internal) # "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal) # "indices" the array of indices that the "action" is acting upon # "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header # "trace_id" an identifier conveyed by the part of "traceparent" request header # "x_forwarded_for" the addresses from the "X-Forwarded-For" request header, as a verbatim string value (not an array) # "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event # "rule" name of the applied rule if the "origin.type" is "ip_filter" # the "put", "delete", "change", "create", "invalidate" fields are only present # when the "event.type" is "security_config_change" and contain the security config change (as an object) taking effect appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}-%i.json.gz appender.audit_rolling.policies.type = Policies appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy appender.audit_rolling.policies.time.interval = 1 appender.audit_rolling.policies.time.modulate = true appender.audit_rolling.policies.size.type = SizeBasedTriggeringPolicy appender.audit_rolling.policies.size.size = 1GB appender.audit_rolling.strategy.type = DefaultRolloverStrategy appender.audit_rolling.strategy.fileIndex = nomax logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail logger.xpack_security_audit_logfile.level = info logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling logger.xpack_security_audit_logfile.additivity = false logger.xmlsig.name = org.apache.xml.security.signature.XMLSignature logger.xmlsig.level = error logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter logger.samlxml_decrypt.level = fatal logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter logger.saml2_decrypt.level = fatal