Is your feature request related to a problem?
Yes. When using daily audit log indices with the OpenSearch Security plugin, the index name and related rollover logic are fixed to UTC.
Currently, the code in AuditLogSink.java uses DateTime.now(DateTimeZone.UTC), making it impossible to change the timezone (e.g., to local timezones such as Asia/Seoul). This causes audit log indices to roll over based on UTC dates rather than the local date context.
What solution would you like?
Provide a configuration option to specify the timezone used for audit log index naming and related time calculations instead of always using UTC.
For example:
• Allow setting a timezone via audit configuration (e.g., plugins.security.audit.config.timezone)
• Update the implementation in AuditLogSink.java to respect this configured timezone when formatting index names and generating timestamps
This will allow users in local timezones to align audit log index dates with their local date boundaries instead of UTC.
What alternatives have you considered?
- Relying on custom index patterns only changes the format but does not alter the underlying UTC timestamp logic in the code.
- External scripts to rename indices after creation are possible workarounds but are manual and error prone.
Do you have any additional context?
In the current code, the timezone is hardcoded in:
protected String getExpandedIndexName(DateTimeFormatter indexPattern, String index) {
if (indexPattern == null) {
return index;
}
return indexPattern.print(DateTime.now(DateTimeZone.UTC));
}
As this method always uses UTC, there is no way to configure it for other timezones (e.g., Asia/Seoul). A configuration option or improvement to respect non-UTC timezones would be beneficial.
Is your feature request related to a problem?
Yes. When using daily audit log indices with the OpenSearch Security plugin, the index name and related rollover logic are fixed to UTC.
Currently, the code in AuditLogSink.java uses DateTime.now(DateTimeZone.UTC), making it impossible to change the timezone (e.g., to local timezones such as Asia/Seoul). This causes audit log indices to roll over based on UTC dates rather than the local date context.
What solution would you like?
Provide a configuration option to specify the timezone used for audit log index naming and related time calculations instead of always using UTC.
For example:
• Allow setting a timezone via audit configuration (e.g., plugins.security.audit.config.timezone)
• Update the implementation in AuditLogSink.java to respect this configured timezone when formatting index names and generating timestamps
This will allow users in local timezones to align audit log index dates with their local date boundaries instead of UTC.
What alternatives have you considered?
Do you have any additional context?
In the current code, the timezone is hardcoded in:
As this method always uses UTC, there is no way to configure it for other timezones (e.g., Asia/Seoul). A configuration option or improvement to respect non-UTC timezones would be beneficial.