how to enable ElasticSearch http access log


I opened couple client nodes with http 9200 to sever ElasticSearch queries/indices. I wanna log the access log from clients via http 9200, just like Http-Apache has the access.log. How should I enable this in ES please.


Answers:


There's no such thing in Elasticsearch itself.

However, if you install the Shield plugin, you can enable auditing by adding this to your elasticsearch.yml configuration file.

shield.audit.enabled: true

You'll then get a new file called elasticsearch-access.log in your ES logs folder.

UPDATE by @lucabelluccini: Shield audit logs to syslog

In case you are interested in forwarding such audit logs to syslog, you can thanks to log4j SyslogAppender class which allows to forward logs to syslog via local socket.

Edit your logging.yml (customize the format etc...)

appender:
  syslog:
    type: org.apache.log4j.net.SyslogAppender
    syslogHost: localhost
    facility: local0
    layout:
      type: org.apache.log4j.PatternLayout
      conversionPattern: "%d{ISO8601} %t %p %c %M %m %n"

Ensure rsyslog configuration allows UDP sources.

Associate this appender to the shield audit topic.