Hello,
Here’s the link to the ror-sandbox PR [RORDEV-1872] Reproduce issue using log4j2 config provided by customer by mgoworko · Pull Request #89 · beshu-tech/ror-sandbox · GitHub . It contains the fixed log4j2 configuration from my previous answer. It can be started by executing ror-demo-cluster/run.sh script. The script will ask for ES version and ROR version (I used ES 8.18.3 and ROR 1.66.1, as specified in the issue report).
After logging-in to Elastic (admin:admin on local port 15601), I checked the log files using command:
docker exec -it $(docker ps -q --filter "expose=9200") ls -l /usr/share/elasticsearch/logs
With result:
-rw-rw-r-- 1 elasticsearch elasticsearch 91351 Nov 27 17:08 gc.log
-rw-rw-r-- 1 elasticsearch elasticsearch 2902 Nov 27 17:04 gc.log.00
-rw-rw-r-- 1 elasticsearch elasticsearch 2902 Nov 27 17:04 gc.log.01
-rw-rw-r-- 1 elasticsearch elasticsearch 89170 Nov 27 17:08 readonlyrest_audit.log
-rw-rw-r-- 1 elasticsearch elasticsearch 618726 Nov 27 17:08 ror-es-cluster.log
-rw-rw-r-- 1 elasticsearch elasticsearch 999 Nov 27 17:04 ror-es-cluster_deprecation.log
-rw-rw-r-- 1 elasticsearch elasticsearch 0 Nov 27 17:04 ror-es-cluster_index_indexing_slowlog.log
-rw-rw-r-- 1 elasticsearch elasticsearch 0 Nov 27 17:04 ror-es-cluster_index_search_slowlog.log
The audit logs are correctly written only to the readonlyrest_audit.log file. Please compare this example with your configuration and let me know if the issue still persist.
Regards,
Michał