diff --git a/x-pack/docs/en/security/auditing/output-logfile.asciidoc b/x-pack/docs/en/security/auditing/output-logfile.asciidoc index 382307e893f..ac7128852b9 100644 --- a/x-pack/docs/en/security/auditing/output-logfile.asciidoc +++ b/x-pack/docs/en/security/auditing/output-logfile.asciidoc @@ -7,11 +7,36 @@ the `_audit.log` file in the logs directory. To maintain compatibility with releases prior to 6.5.0, a `_access.log` file is also generated. They differ in the output format but the contents are similar. For systems that are not ingesting the audit file for search or -analytics it is strongly recommended to only keep the newer format. -Turning off the deprecated output format can be achieved by disabling the logger -in the `log4j2.properties` file (hint: there is a config comment -about it). -For more information, see {ref}/logging.html#configuring-logging-levels[configuring-logging]. +analytics it is strongly recommended to keep only the newer format. + +To turn off the deprecated output format, you can disable the logger in the +`log4j2.properties` file: + +[source, properties] +-------------------------------------------------- +# change info to off +# logger.xpack_security_audit_deprecated_logfile.level = info +logger.xpack_security_audit_deprecated_logfile.level = off +-------------------------------------------------- + +Alternatively, use the +{ref}/cluster-update-settings.html[cluster update settings API] to dynamically +configure the logger: + +[source,js] +-------------------------------------------------- +PUT /_cluster/settings +{ + "persistent": { + "logger.org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail": "off" + } +} +-------------------------------------------------- +// CONSOLE + +NOTE: If you overwrite the `log4j2.properties` and do not specify appenders for +any of the audit trails, audit events are forwarded to the root appender, which +by default points to the `elasticsearch.log` file. [float]