Audit log filter and marker (#45456)

albertzaharovits · web-flow · commit 9ef69f7d22c0 · 2019-11-15T10:43:31.000-05:00
This adds a log marker and a marker filter for the audit log. Closes #47251
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java
@@ -6,6 +6,11 @@
 package org.elasticsearch.xpack.security.audit.logfile;
 
 import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.Marker;
+import org.apache.logging.log4j.MarkerManager;
+import org.apache.logging.log4j.core.Filter.Result;
+import org.apache.logging.log4j.core.LoggerContext;
+import org.apache.logging.log4j.core.filter.MarkerFilter;
 import org.apache.logging.log4j.message.StringMapMessage;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.cluster.ClusterChangedEvent;
@@ -15,6 +20,7 @@
 import org.elasticsearch.common.Nullable;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Setting.Property;
@@ -32,6 +38,7 @@
 import org.elasticsearch.xpack.core.security.user.SystemUser;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.user.XPackUser;
+import org.elasticsearch.xpack.security.Security;
 import org.elasticsearch.xpack.security.audit.AuditLevel;
 import org.elasticsearch.xpack.security.audit.AuditTrail;
 import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;
@@ -151,6 +158,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
             "indices",
             (key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));
 
+    private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");
+
     private final Logger logger;
     private final ThreadContext threadContext;
     final EventFilterPolicyRegistry eventFilterPolicyRegistry;
@@ -166,7 +175,7 @@ public String name() {
     }
 
     public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {
-        this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());
+        this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());
     }
 
     LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {
@@ -207,6 +216,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa
             final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);
             this.eventFilterPolicyRegistry.set(policyName, newPolicy);
         }, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));
+        // this log filter ensures that audit events are not filtered out because of the log level
+        final LoggerContext ctx = LoggerContext.getContext(false);
+        MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);
+        ctx.addFilter(auditMarkerFilter);
+        ctx.updateLoggers();
+        clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {
+            LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");
+        }, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));
     }
 
     @Override
@@ -225,7 +242,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -248,7 +265,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -270,7 +287,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -289,7 +306,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -311,7 +328,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -329,7 +346,7 @@ public void authenticationFailed(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -350,7 +367,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -370,7 +387,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -393,7 +410,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -414,7 +431,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -440,7 +457,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin
                         .withXForwardedFor(threadContext)
                         .with(authorizationInfo.asMap())
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -480,7 +497,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut
                         .with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)
                         .with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));
                 }
-                logger.info(logEntryBuilder.build());
+                logger.info(AUDIT_MARKER, logEntryBuilder.build());
             }
         }
     }
@@ -505,7 +522,7 @@ public void accessDenied(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -523,7 +540,7 @@ public void tamperedRequest(String requestId, RestRequest request) {
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -544,7 +561,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -567,7 +584,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -586,7 +603,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -604,7 +621,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
@@ -628,7 +645,7 @@ public void runAsGranted(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -653,7 +670,7 @@ public void runAsDenied(String requestId, Authentication authentication, String
                         .withOpaqueId(threadContext)
                         .withXForwardedFor(threadContext)
                         .build();
-                logger.info(logEntry);
+                logger.info(AUDIT_MARKER, logEntry);
             }
         }
     }
@@ -675,7 +692,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq
                     .withOpaqueId(threadContext)
                     .withXForwardedFor(threadContext)
                     .build();
-            logger.info(logEntry);
+            logger.info(AUDIT_MARKER, logEntry);
         }
     }
 
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java
@@ -198,7 +198,7 @@ public void init() throws Exception {
             threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,
                     randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));
         }
-        logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);
+        logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);
         auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,11 @@`
`6`	`6`	`package org.elasticsearch.xpack.security.audit.logfile;`
`7`	`7`
`8`	`8`	`import org.apache.logging.log4j.Logger;`
	`9`	`+import org.apache.logging.log4j.Marker;`
	`10`	`+import org.apache.logging.log4j.MarkerManager;`
	`11`	`+import org.apache.logging.log4j.core.Filter.Result;`
	`12`	`+import org.apache.logging.log4j.core.LoggerContext;`
	`13`	`+import org.apache.logging.log4j.core.filter.MarkerFilter;`
`9`	`14`	`import org.apache.logging.log4j.message.StringMapMessage;`
`10`	`15`	`import org.elasticsearch.action.IndicesRequest;`
`11`	`16`	`import org.elasticsearch.cluster.ClusterChangedEvent;`
`@@ -15,6 +20,7 @@`
`15`	`20`	`import org.elasticsearch.common.Nullable;`
`16`	`21`	`import org.elasticsearch.common.Strings;`
`17`	`22`	`import org.elasticsearch.common.collect.MapBuilder;`
	`23`	`+import org.elasticsearch.common.logging.Loggers;`
`18`	`24`	`import org.elasticsearch.common.network.NetworkAddress;`
`19`	`25`	`import org.elasticsearch.common.settings.Setting;`
`20`	`26`	`import org.elasticsearch.common.settings.Setting.Property;`
`@@ -32,6 +38,7 @@`
`32`	`38`	`import org.elasticsearch.xpack.core.security.user.SystemUser;`
`33`	`39`	`import org.elasticsearch.xpack.core.security.user.User;`
`34`	`40`	`import org.elasticsearch.xpack.core.security.user.XPackUser;`
	`41`	`+import org.elasticsearch.xpack.security.Security;`
`35`	`42`	`import org.elasticsearch.xpack.security.audit.AuditLevel;`
`36`	`43`	`import org.elasticsearch.xpack.security.audit.AuditTrail;`
`37`	`44`	`import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.AuthorizationInfo;`
`@@ -151,6 +158,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {`
`151`	`158`	`"indices",`
`152`	`159`	`(key) -> Setting.listSetting(key, Collections.singletonList("*"), Function.identity(), Property.NodeScope, Property.Dynamic));`
`153`	`160`
	`161`	`+ private static final Marker AUDIT_MARKER = MarkerManager.getMarker("org.elasticsearch.xpack.security.audit");`
	`162`	`+`
`154`	`163`	`private final Logger logger;`
`155`	`164`	`private final ThreadContext threadContext;`
`156`	`165`	`final EventFilterPolicyRegistry eventFilterPolicyRegistry;`
`@@ -166,7 +175,7 @@ public String name() {`
`166`	`175`	`}`
`167`	`176`
`168`	`177`	`public LoggingAuditTrail(Settings settings, ClusterService clusterService, ThreadPool threadPool) {`
`169`		`- this(settings, clusterService, LogManager.getLogger(), threadPool.getThreadContext());`
	`178`	`+ this(settings, clusterService, LogManager.getLogger(LoggingAuditTrail.class), threadPool.getThreadContext());`
`170`	`179`	`}`
`171`	`180`
`172`	`181`	`LoggingAuditTrail(Settings settings, ClusterService clusterService, Logger logger, ThreadContext threadContext) {`
`@@ -207,6 +216,14 @@ public LoggingAuditTrail(Settings settings, ClusterService clusterService, Threa`
`207`	`216`	`final EventFilterPolicy newPolicy = policy.orElse(new EventFilterPolicy(policyName, settings)).changeIndicesFilter(filtersList);`
`208`	`217`	`this.eventFilterPolicyRegistry.set(policyName, newPolicy);`
`209`	`218`	`}, (policyName, filtersList) -> EventFilterPolicy.parsePredicate(filtersList));`
	`219`	`+ // this log filter ensures that audit events are not filtered out because of the log level`
	`220`	`+ final LoggerContext ctx = LoggerContext.getContext(false);`
	`221`	`+ MarkerFilter auditMarkerFilter = MarkerFilter.createFilter(AUDIT_MARKER.getName(), Result.ACCEPT, Result.NEUTRAL);`
	`222`	`+ ctx.addFilter(auditMarkerFilter);`
	`223`	`+ ctx.updateLoggers();`
	`224`	`+ clusterService.getClusterSettings().addSettingsUpdateConsumer(ignored -> {`
	`225`	`+ LogManager.getLogger(Security.class).warn("Changing log level for [" + LoggingAuditTrail.class.getName() + "] has no effect");`
	`226`	`+ }, Collections.singletonList(Loggers.LOG_LEVEL_SETTING.getConcreteSettingForNamespace(LoggingAuditTrail.class.getName())));`
`210`	`227`	`}`
`211`	`228`
`212`	`229`	`@Override`
`@@ -225,7 +242,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Res`
`225`	`242`	`.withOpaqueId(threadContext)`
`226`	`243`	`.withXForwardedFor(threadContext)`
`227`	`244`	`.build();`
`228`		`- logger.info(logEntry);`
	`245`	`+ logger.info(AUDIT_MARKER, logEntry);`
`229`	`246`	`}`
`230`	`247`	`}`
`231`	`248`
`@@ -248,7 +265,7 @@ public void authenticationSuccess(String requestId, String realm, User user, Str`
`248`	`265`	`.withOpaqueId(threadContext)`
`249`	`266`	`.withXForwardedFor(threadContext)`
`250`	`267`	`.build();`
`251`		`- logger.info(logEntry);`
	`268`	`+ logger.info(AUDIT_MARKER, logEntry);`
`252`	`269`	`}`
`253`	`270`	`}`
`254`	`271`	`}`
`@@ -270,7 +287,7 @@ public void anonymousAccessDenied(String requestId, String action, TransportMess`
`270`	`287`	`.withOpaqueId(threadContext)`
`271`	`288`	`.withXForwardedFor(threadContext)`
`272`	`289`	`.build();`
`273`		`- logger.info(logEntry);`
	`290`	`+ logger.info(AUDIT_MARKER, logEntry);`
`274`	`291`	`}`
`275`	`292`	`}`
`276`	`293`	`}`
`@@ -289,7 +306,7 @@ public void anonymousAccessDenied(String requestId, RestRequest request) {`
`289`	`306`	`.withOpaqueId(threadContext)`
`290`	`307`	`.withXForwardedFor(threadContext)`
`291`	`308`	`.build();`
`292`		`- logger.info(logEntry);`
	`309`	`+ logger.info(AUDIT_MARKER, logEntry);`
`293`	`310`	`}`
`294`	`311`	`}`
`295`	`312`
`@@ -311,7 +328,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, St`
`311`	`328`	`.withOpaqueId(threadContext)`
`312`	`329`	`.withXForwardedFor(threadContext)`
`313`	`330`	`.build();`
`314`		`- logger.info(logEntry);`
	`331`	`+ logger.info(AUDIT_MARKER, logEntry);`
`315`	`332`	`}`
`316`	`333`	`}`
`317`	`334`	`}`
`@@ -329,7 +346,7 @@ public void authenticationFailed(String requestId, RestRequest request) {`
`329`	`346`	`.withOpaqueId(threadContext)`
`330`	`347`	`.withXForwardedFor(threadContext)`
`331`	`348`	`.build();`
`332`		`- logger.info(logEntry);`
	`349`	`+ logger.info(AUDIT_MARKER, logEntry);`
`333`	`350`	`}`
`334`	`351`	`}`
`335`	`352`
`@@ -350,7 +367,7 @@ public void authenticationFailed(String requestId, String action, TransportMessa`
`350`	`367`	`.withOpaqueId(threadContext)`
`351`	`368`	`.withXForwardedFor(threadContext)`
`352`	`369`	`.build();`
`353`		`- logger.info(logEntry);`
	`370`	`+ logger.info(AUDIT_MARKER, logEntry);`
`354`	`371`	`}`
`355`	`372`	`}`
`356`	`373`	`}`
`@@ -370,7 +387,7 @@ public void authenticationFailed(String requestId, AuthenticationToken token, Re`
`370`	`387`	`.withOpaqueId(threadContext)`
`371`	`388`	`.withXForwardedFor(threadContext)`
`372`	`389`	`.build();`
`373`		`- logger.info(logEntry);`
	`390`	`+ logger.info(AUDIT_MARKER, logEntry);`
`374`	`391`	`}`
`375`	`392`	`}`
`376`	`393`
`@@ -393,7 +410,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT`
`393`	`410`	`.withOpaqueId(threadContext)`
`394`	`411`	`.withXForwardedFor(threadContext)`
`395`	`412`	`.build();`
`396`		`- logger.info(logEntry);`
	`413`	`+ logger.info(AUDIT_MARKER, logEntry);`
`397`	`414`	`}`
`398`	`415`	`}`
`399`	`416`	`}`
`@@ -414,7 +431,7 @@ public void authenticationFailed(String requestId, String realm, AuthenticationT`
`414`	`431`	`.withOpaqueId(threadContext)`
`415`	`432`	`.withXForwardedFor(threadContext)`
`416`	`433`	`.build();`
`417`		`- logger.info(logEntry);`
	`434`	`+ logger.info(AUDIT_MARKER, logEntry);`
`418`	`435`	`}`
`419`	`436`	`}`
`420`	`437`
`@@ -440,7 +457,7 @@ public void accessGranted(String requestId, Authentication authentication, Strin`
`440`	`457`	`.withXForwardedFor(threadContext)`
`441`	`458`	`.with(authorizationInfo.asMap())`
`442`	`459`	`.build();`
`443`		`- logger.info(logEntry);`
	`460`	`+ logger.info(AUDIT_MARKER, logEntry);`
`444`	`461`	`}`
`445`	`462`	`}`
`446`	`463`	`}`
`@@ -480,7 +497,7 @@ public void explicitIndexAccessEvent(String requestId, AuditLevel eventType, Aut`
`480`	`497`	`.with(ORIGIN_TYPE_FIELD_NAME, TRANSPORT_ORIGIN_FIELD_VALUE)`
`481`	`498`	`.with(ORIGIN_ADDRESS_FIELD_NAME, NetworkAddress.format(remoteAddress.address()));`
`482`	`499`	`}`
`483`		`- logger.info(logEntryBuilder.build());`
	`500`	`+ logger.info(AUDIT_MARKER, logEntryBuilder.build());`
`484`	`501`	`}`
`485`	`502`	`}`
`486`	`503`	`}`
`@@ -505,7 +522,7 @@ public void accessDenied(String requestId, Authentication authentication, String`
`505`	`522`	`.withOpaqueId(threadContext)`
`506`	`523`	`.withXForwardedFor(threadContext)`
`507`	`524`	`.build();`
`508`		`- logger.info(logEntry);`
	`525`	`+ logger.info(AUDIT_MARKER, logEntry);`
`509`	`526`	`}`
`510`	`527`	`}`
`511`	`528`	`}`
`@@ -523,7 +540,7 @@ public void tamperedRequest(String requestId, RestRequest request) {`
`523`	`540`	`.withOpaqueId(threadContext)`
`524`	`541`	`.withXForwardedFor(threadContext)`
`525`	`542`	`.build();`
`526`		`- logger.info(logEntry);`
	`543`	`+ logger.info(AUDIT_MARKER, logEntry);`
`527`	`544`	`}`
`528`	`545`	`}`
`529`	`546`
`@@ -544,7 +561,7 @@ public void tamperedRequest(String requestId, String action, TransportMessage me`
`544`	`561`	`.withOpaqueId(threadContext)`
`545`	`562`	`.withXForwardedFor(threadContext)`
`546`	`563`	`.build();`
`547`		`- logger.info(logEntry);`
	`564`	`+ logger.info(AUDIT_MARKER, logEntry);`
`548`	`565`	`}`
`549`	`566`	`}`
`550`	`567`	`}`
`@@ -567,7 +584,7 @@ public void tamperedRequest(String requestId, User user, String action, Transpor`
`567`	`584`	`.withOpaqueId(threadContext)`
`568`	`585`	`.withXForwardedFor(threadContext)`
`569`	`586`	`.build();`
`570`		`- logger.info(logEntry);`
	`587`	`+ logger.info(AUDIT_MARKER, logEntry);`
`571`	`588`	`}`
`572`	`589`	`}`
`573`	`590`	`}`
`@@ -586,7 +603,7 @@ public void connectionGranted(InetAddress inetAddress, String profile, SecurityI`
`586`	`603`	`.withOpaqueId(threadContext)`
`587`	`604`	`.withXForwardedFor(threadContext)`
`588`	`605`	`.build();`
`589`		`- logger.info(logEntry);`
	`606`	`+ logger.info(AUDIT_MARKER, logEntry);`
`590`	`607`	`}`
`591`	`608`	`}`
`592`	`609`
`@@ -604,7 +621,7 @@ public void connectionDenied(InetAddress inetAddress, String profile, SecurityIp`
`604`	`621`	`.withOpaqueId(threadContext)`
`605`	`622`	`.withXForwardedFor(threadContext)`
`606`	`623`	`.build();`
`607`		`- logger.info(logEntry);`
	`624`	`+ logger.info(AUDIT_MARKER, logEntry);`
`608`	`625`	`}`
`609`	`626`	`}`
`610`	`627`
`@@ -628,7 +645,7 @@ public void runAsGranted(String requestId, Authentication authentication, String`
`628`	`645`	`.withOpaqueId(threadContext)`
`629`	`646`	`.withXForwardedFor(threadContext)`
`630`	`647`	`.build();`
`631`		`- logger.info(logEntry);`
	`648`	`+ logger.info(AUDIT_MARKER, logEntry);`
`632`	`649`	`}`
`633`	`650`	`}`
`634`	`651`	`}`
`@@ -653,7 +670,7 @@ public void runAsDenied(String requestId, Authentication authentication, String`
`653`	`670`	`.withOpaqueId(threadContext)`
`654`	`671`	`.withXForwardedFor(threadContext)`
`655`	`672`	`.build();`
`656`		`- logger.info(logEntry);`
	`673`	`+ logger.info(AUDIT_MARKER, logEntry);`
`657`	`674`	`}`
`658`	`675`	`}`
`659`	`676`	`}`
`@@ -675,7 +692,7 @@ public void runAsDenied(String requestId, Authentication authentication, RestReq`
`675`	`692`	`.withOpaqueId(threadContext)`
`676`	`693`	`.withXForwardedFor(threadContext)`
`677`	`694`	`.build();`
`678`		`- logger.info(logEntry);`
	`695`	`+ logger.info(AUDIT_MARKER, logEntry);`
`679`	`696`	`}`
`680`	`697`	`}`
`681`	`698`
Original file line number	Diff line number	Diff line change
`@@ -198,7 +198,7 @@ public void init() throws Exception {`
`198`	`198`	`threadContext.putHeader(AuditTrail.X_FORWARDED_FOR_HEADER,`
`199`	`199`	`randomFrom("2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195", "203.0.113.195, 70.41.3.18, 150.172.238.178"));`
`200`	`200`	`}`
`201`		`- logger = CapturingLogger.newCapturingLogger(Level.INFO, patternLayout);`
	`201`	`+ logger = CapturingLogger.newCapturingLogger(randomFrom(Level.OFF, Level.FATAL, Level.ERROR, Level.WARN, Level.INFO), patternLayout);`
`202`	`202`	`auditTrail = new LoggingAuditTrail(settings, clusterService, logger, threadContext);`
`203`	`203`	`}`
`204`	`204`