Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cluster level log settings can inadvertently enable the deprecated *_access log #47251

Closed
n0othing opened this issue Sep 27, 2019 · 1 comment · Fixed by #45456
Closed

Cluster level log settings can inadvertently enable the deprecated *_access log #47251

n0othing opened this issue Sep 27, 2019 · 1 comment · Fixed by #45456
Assignees
@albertzaharovits
Labels
>bug :Security/Audit X-Pack Audit logging

Comments

@n0othing
Copy link
Member

Elasticsearch version: Version: 6.8.3, Build: default/tar/0c48c0e/2019-08-29T19:05:24.312154Z, JVM: 1.8.0_181

JVM version: Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

OS version: 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

Adjusting the _root logger level via a cluster setting API call can enable the deprecated *_access.log, even if logger.xpack_security_audit_deprecated_logfile.level = off if defined in the log4j2.properties file. It remains enabled even if you null out the cluster setting.

Steps to reproduce:

  1. Enabled auditing in the elasticsearch.yml + disable the deprecated *_access.log in the log4j2.properties file.
  2. Switch to debug logging via a cluster setting
PUT /_cluster/settings
{"transient":{"logger._root":"debug"}}

  1. Observe the path.logs directory. The deprecated *_access.log is now being written to.

  2. Clear your debug logging via a null

PUT /_cluster/settings
{"transient":{"logger._root":null}}
  1. *_access.log will continue being written to until the node is restarted.
@n0othing n0othing added >bug :Security/Audit X-Pack Audit logging labels Sep 27, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@albertzaharovits albertzaharovits self-assigned this Sep 29, 2019
@albertzaharovits albertzaharovits mentioned this issue Oct 3, 2019
Merged
albertzaharovits added a commit that referenced this issue Nov 15, 2019
@albertzaharovits
Audit log filter and marker (#45456)
5775ca8 
This adds a log marker and a marker filter for the audit log.

Closes #47251
@albertzaharovits albertzaharovits mentioned this issue Nov 15, 2019
Merged
albertzaharovits added a commit that referenced this issue Nov 15, 2019
@albertzaharovits
Audit log filter and marker (#49145)
89b3c32 
This adds a log marker and a marker filter for the audit log.

Closes #47251
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this issue Nov 15, 2019
@albertzaharovits
Audit log filter and marker (elastic#49145)
bbeb3a8 
This adds a log marker and a marker filter for the audit log.

Closes elastic#47251
This was referenced Nov 15, 2019
Merged
Merged
albertzaharovits added a commit that referenced this issue Nov 15, 2019
@albertzaharovits
Audit log filter and marker (#45456)
e600765 
This adds a log marker and a marker filter for the audit log.

Closes #47251
albertzaharovits added a commit that referenced this issue Nov 15, 2019
@albertzaharovits
Audit log filter and marker (#45456)
9ef69f7 
This adds a log marker and a marker filter for the audit log.

Closes #47251
This was referenced Feb 3, 2020
Closed
Closed
@pgomulka pgomulka mentioned this issue Nov 19, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@albertzaharovits albertzaharovits

Labels
>bug :Security/Audit X-Pack Audit logging
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Audit log filter and marker albertzaharovits/elasticsearch
3 participants
@albertzaharovits @n0othing @elasticmachine