fileRotation | Groups the file rotation configuration parameters. |
rotationEnabled | Specifies whether file rotation is enabled. Boolean, true or false. |
maxFileSize | The maximum size of an audit file, in bytes, before rotation is triggered. |
rotationFilePrefix | The prefix to add to the start of an audit file name when it is rotated. |
rotationTimes | Specifies a list of times at which file rotation should be triggered. The times must be provided as durations, offset from midnight. For example, a list of 10 minutes, 20 minutes, 30 minutes will cause files to rotate at 10, 20 and 30 minutes after midnight. |
rotationFileSuffix | The suffix appended to rotated audit file names. This suffix should take the form of a timestamp, in simple date format. The default suffix format, if none is specified, is -yyyy.MM.dd-HH.mm.ss. |
rotationInterval | The interval to trigger a file rotation, expressed as a duration. For example, 5 seconds, 5 minutes, 5 hours. A value of 0 or disabled disables time-based file rotation. Note that you can specify a list of rotationTimes and a rotationInterval. The audit event handler checks all rotation and retention policies on a periodic basis, and assesses whether each policy should be triggered at the current time, for a particular audit file. The first policy to meet the criteria is triggered. |
fileRetention | Groups the file retention configuration parameters. The retention policy specifies how long audit files remain on disk before they are automatically deleted. |
maxNumberOfHistoryFiles | The maximum number of historical audit files that can be stored. If the total number of audit files exceed this maximum, older files are deleted. A value of -1 disables purging of old log files. |
maxDiskSpaceToUse | The maximum disk space, in bytes, that can be used for audit files. If the total space occupied by the audit files exceed this maximum, older files are deleted. A negative or zero value indicates that this policy is disabled, that is, that unlimited disk space can be used for historical audit files. |
minFreeSpaceRequired | The minimum free disk space, in bytes, required on the system that houses the audit files. If the free space drops below this minimum, older files are deleted. A negative or zero value indicates that this policy is disabled, that is, that no minimum space requirements apply. |
rotationRetentionCheckInterval | Interval for periodically checking file rotation and retention policies. The interval must be a duration, for example, 5 seconds, 5 minutes, or 5 hours. |
logDirectory | Directory with JSON audit files |
elasticsearchCompatible | Enable ElasticSearch JSON format compatibility. Boolean, true or false. Set this property to true, for example, if you are using Logstash to feed into ElasticSearch. When elasticsearchCompatible is true, the handler renames the _id field to _eventId because _id is reserved by ElasticSearch. The rename is reversed after JSON serialization, so that other handlers will see the original field name. For more information, see the ElasticSearch documentation. |
buffering | Configuration for event buffering |
maxSize | The maximum number of events that can be buffered (default/minimum: 100000) |
writeInterval | The delay after which the file-writer thread is scheduled to run after encountering an empty event buffer (units of 'ms' are recommended). Default: 100 ms. |