Custom log4j does not work

Hi all
Name: readonlyrest
Description: Safely expose Elasticsearch REST API
Version: 1.16.14
Native Controller: false

  • Classname:

I added the log4j snippet in my log4j.propertieis to log ROR in another file:

#Plugin readonly rest separate access logging file definition
appender.access_log_rolling.type = RollingFile = access_log_rolling
appender.access_log_rolling.fileName = ${sys:es.logs}_access.log
appender.access_log_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] %marker%.-10000m%n
appender.access_log_rolling.layout.type = PatternLayout
appender.access_log_rolling.filePattern = ${sys:es.logs}_access-%d{yyyy-MM-dd}.log
appender.access_log_rolling.policies.type = Policies
appender.access_log_rolling.policies.time.type = TimeBasedTriggeringPolicy
appender.access_log_rolling.policies.time.interval = 1
appender.access_log_rolling.policies.time.modulate = true = org.elasticsearch.plugin.readonlyrest.acl
logger.access_log_rolling.level = info
logger.access_log_rolling.appenderRef.access_log_rolling.ref = access_log_rolling
logger.access_log_rolling.additivity = false

exclude kibana, beat and logstash users as they generate too much noise

logger.access_log_rolling.filter.regex.type = RegexFilter
logger.access_log_rolling.filter.regex.regex = .USR:(kibana|beat|logstash),.
logger.access_log_rolling.filter.regex.onMatch = DENY
logger.access_log_rolling.filter.regex.onMisMatch = ACCEPT

The logs are still written to the default logfile.

Am I doing sth wrong or is this buggy?

@ld57 you’re the logs expert, any aces up your sleeve? :slight_smile:

To start, try to post the config as a “preformatted text” (select and then press ctrl+shift+c), as markup is eating several characters.

Anyway, i recall there was a change in ES log variables somewhere… that sys:es.logs probably do not work anymore. Try using something like this (taken from my config) to build the path:

appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}.log.gz

If it fails, lets check the other parts… what file are you editing? Should be! Is it located in the correct location? The permissions are correct? If running inside a docker, check what user is really being used inside the docker vs host.

Good luck

changing default hierarchy name of plugin = org.elasticsearch.plugin.readonlyrest.acl
to = tech.beshu.ror.acl.ACL
worked perfectly…!!

Also last line
logger.access_log_rolling.filter.regex.onMisMatch = ACCEPT
should be
logger.access_log_rolling.filter.regex.onMismatch = ACCEPT

otherwise will give an error for “MisMatch”…!!

1 Like