| Groups the file rotation configuration parameters. |
| Specifies whether file rotation is enabled. Boolean, true or false. |
| The maximum size of an audit file, in bytes, before rotation is triggered. |
| The prefix to add to the start of an audit file name when it is rotated. |
| Specifies a list of times at which file rotation should be triggered. The times must be provided as durations, offset from midnight. For example, a list of |
10 minutes, 20 minutes, 30 minutes will cause files to rotate at 10, 20 and 30 minutes after midnight.
| The suffix appended to rotated audit file names. This suffix should take the form of a timestamp, in simple date format. The default suffix format, if none is specified, is |
| The interval to trigger a file rotation, expressed as a duration. For example, |
5 hours. A value of
disabled disables time-based file rotation. Note that you can specify a list of
rotationTimes and a
rotationInterval. The audit event handler checks all rotation and retention policies on a periodic basis, and assesses whether each policy should be triggered at the current time, for a particular audit file. The first policy to meet the criteria is triggered.
| Groups the file retention configuration parameters. The retention policy specifies how long audit files remain on disk before they are automatically deleted. |
| The maximum number of historical audit files that can be stored. If the total number of audit files exceed this maximum, older files are deleted. A value of |
-1 disables purging of old log files.
| The maximum disk space, in bytes, that can be used for audit files. If the total space occupied by the audit files exceed this maximum, older files are deleted. A negative or zero value indicates that this policy is disabled, that is, that unlimited disk space can be used for historical audit files. |
| The minimum free disk space, in bytes, required on the system that houses the audit files. If the free space drops below this minimum, older files are deleted. A negative or zero value indicates that this policy is disabled, that is, that no minimum space requirements apply. |
| Interval for periodically checking file rotation and retention policies. The interval must be a duration, for example, |
5 minutes, or
|Directory with JSON audit files|
| Enable ElasticSearch JSON format compatibility. Boolean, true or false. Set this property to |
true, for example, if you are using Logstash to feed into ElasticSearch. When
true, the handler renames the
_id field to
_id is reserved by ElasticSearch. The rename is reversed after JSON serialization, so that other handlers will see the original field name. For more information, see the ElasticSearch documentation.
|Configuration for event buffering|
|The maximum number of events that can be buffered (default/minimum: 100000)|
|The delay after which the file-writer thread is scheduled to run after encountering an empty event buffer (units of 'ms' are recommended). Default: 100 ms.|