Add cluster UUID and name to audit logs (#79401)

* Add cluster UUID and name to audit logs

There are two new config settings to enable audit logs
to include cluster uuid, name, or both. By default, cluster uuid
is enabled and cluster name is disabled.
- xpack.security.audit.logfile.emit_cluster_uuid: Default=true
- xpack.security.audit.logfile.emit_cluster_name: Default=false

Cluster state is initialized asynchronously during startup. Some audit
logs may be emitted before cluster name and UUID are available.
- Ephemeral node init: No UUID until updated by master node.
- Persistent node init: Random UUID before updated by master node.
- Persistent node restart: Cluster UUID read from cache.

Name is fixed in config. UUID normally does not change, but an exception
is ECE disaster recovery; for same ECE deployment ID it will generate a
new cluster UUID.

Closes #72408

x-pack/plugin/core/src/main/config/log4j2.properties

@@ -5,6 +5,8 @@ appender.audit_rolling.layout.type = PatternLayout
 appender.audit_rolling.layout.pattern = {\
                 "type":"audit", \
                 "timestamp":"%d{yyyy-MM-dd'T'HH:mm:ss,SSSZ}"\
+                %varsNotEmpty{, "cluster.name":"%enc{%map{cluster.name}}{JSON}"}\
+                %varsNotEmpty{, "cluster.uuid":"%enc{%map{cluster.uuid}}{JSON}"}\
                 %varsNotEmpty{, "node.name":"%enc{%map{node.name}}{JSON}"}\
                 %varsNotEmpty{, "node.id":"%enc{%map{node.id}}{JSON}"}\
                 %varsNotEmpty{, "host.name":"%enc{%map{host.name}}{JSON}"}\

x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/audit/logfile/AuditTrailSettingsUpdateTests.java

@@ -26,7 +26,10 @@ import java.util.List;
 import static org.elasticsearch.test.ESIntegTestCase.Scope.TEST;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.emptyOrNullString;
 import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+import static org.hamcrest.Matchers.nullValue;
 import static org.hamcrest.Matchers.startsWith;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -130,26 +133,60 @@ public class AuditTrailSettingsUpdateTests extends SecurityIntegTestCase {
         updateSettings(settingsBuilder.build());
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.NODE_NAME_FIELD_NAME), startsWith("node_"));
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_ID_FIELD_NAME), is(true));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(false));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(nullValue()));
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is("127.0.0.1"));
         settingsBuilder.put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), false);
         updateSettings(settingsBuilder.build());
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.NODE_NAME_FIELD_NAME), startsWith("node_"));
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_ID_FIELD_NAME), is(true));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(false));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(false));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(nullValue()));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(nullValue()));
         settingsBuilder.put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), false);
         updateSettings(settingsBuilder.build());
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_NAME_FIELD_NAME), is(false));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.NODE_NAME_FIELD_NAME), is(nullValue()));
         assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_ID_FIELD_NAME), is(true));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(false));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(false));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(nullValue()));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(nullValue()));
         settingsBuilder.put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), false);
         updateSettings(settingsBuilder.build());
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_NAME_FIELD_NAME), is(false));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.NODE_ID_FIELD_NAME), is(false));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(false));
-        assertThat(loggingAuditTrail.entryCommonFields.commonFields.containsKey(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(false));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.NODE_NAME_FIELD_NAME), is(nullValue()));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.NODE_ID_FIELD_NAME), is(nullValue()));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_ADDRESS_FIELD_NAME), is(nullValue()));
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.HOST_NAME_FIELD_NAME), is(nullValue()));
+    }
+
+    public void testDynamicClusterSettings() {
+        final LoggingAuditTrail loggingAuditTrail = (LoggingAuditTrail) internalCluster().getInstances(AuditTrailService.class)
+            .iterator()
+            .next()
+            .getAuditTrails()
+            .iterator()
+            .next();
+
+        final Settings.Builder settingsBuilder = Settings.builder();
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), true);
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), true);
+        updateSettings(settingsBuilder.build());
+        final String clusterName = loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME);
+        final String clusterUuid = loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_UUID_FIELD_NAME);
+        assertThat(clusterName, not(emptyOrNullString()));
+        assertThat(clusterUuid, not(emptyOrNullString()));
+
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), false);
+        updateSettings(settingsBuilder.build());
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME), is(nullValue()));
+
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), true);
+        updateSettings(settingsBuilder.build());
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_NAME_FIELD_NAME), is(clusterName));
+
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), false);
+        updateSettings(settingsBuilder.build());
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_UUID_FIELD_NAME), is(nullValue()));
+
+        settingsBuilder.put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), true);
+        updateSettings(settingsBuilder.build());
+        assertThat(loggingAuditTrail.entryCommonFields.commonFields.get(LoggingAuditTrail.CLUSTER_UUID_FIELD_NAME), is(clusterUuid));
     }
 
     public void testDynamicRequestBodySettings() {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrail.java

@@ -19,10 +19,12 @@ import org.apache.logging.log4j.message.StringMapMessage;
 import org.elasticsearch.ElasticsearchSecurityException;
 import org.elasticsearch.action.IndicesRequest;
 import org.elasticsearch.cluster.ClusterChangedEvent;
+import org.elasticsearch.cluster.ClusterState;
 import org.elasticsearch.cluster.ClusterStateListener;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.component.Lifecycle;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkAddress;
 import org.elasticsearch.common.settings.Setting;
@@ -133,6 +135,8 @@ import static org.elasticsearch.xpack.security.audit.AuditUtil.restRequestConten
 
 public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
 
+    private static final Logger LOGGER = LogManager.getLogger(LoggingAuditTrail.class);
+
     public static final String REST_ORIGIN_FIELD_VALUE = "rest";
     public static final String LOCAL_ORIGIN_FIELD_VALUE = "local_node";
     public static final String TRANSPORT_ORIGIN_FIELD_VALUE = "transport";
@@ -148,6 +152,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
     public static final String NODE_ID_FIELD_NAME = "node.id";
     public static final String HOST_ADDRESS_FIELD_NAME = "host.ip";
     public static final String HOST_NAME_FIELD_NAME = "host.name";
+    public static final String CLUSTER_NAME_FIELD_NAME = "cluster.name";
+    public static final String CLUSTER_UUID_FIELD_NAME = "cluster.uuid";
     public static final String EVENT_TYPE_FIELD_NAME = "event.type";
     public static final String EVENT_ACTION_FIELD_NAME = "event.action";
     public static final String PRINCIPAL_FIELD_NAME = "user.name";
@@ -210,6 +216,18 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
         Property.NodeScope,
         Property.Dynamic
     );
+    public static final Setting<Boolean> EMIT_CLUSTER_NAME_SETTING = Setting.boolSetting(
+        setting("audit.logfile.emit_cluster_name"),
+        false,
+        Property.NodeScope,
+        Property.Dynamic
+    );
+    public static final Setting<Boolean> EMIT_CLUSTER_UUID_SETTING = Setting.boolSetting(
+        setting("audit.logfile.emit_cluster_uuid"),
+        true,
+        Property.NodeScope,
+        Property.Dynamic
+    );
     private static final List<String> DEFAULT_EVENT_INCLUDES = Arrays.asList(
         ACCESS_DENIED.toString(),
         ACCESS_GRANTED.toString(),
@@ -351,7 +369,7 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
         this.events = parse(INCLUDE_EVENT_SETTINGS.get(settings), EXCLUDE_EVENT_SETTINGS.get(settings));
         this.includeRequestBody = INCLUDE_REQUEST_BODY.get(settings);
         this.threadContext = threadContext;
-        this.entryCommonFields = new EntryCommonFields(settings, null);
+        this.entryCommonFields = new EntryCommonFields(settings, null, clusterService);
         this.eventFilterPolicyRegistry = new EventFilterPolicyRegistry(settings);
         clusterService.addListener(this);
         clusterService.getClusterSettings().addSettingsUpdateConsumer(newSettings -> {
@@ -367,6 +385,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
                 EMIT_HOST_NAME_SETTING,
                 EMIT_NODE_NAME_SETTING,
                 EMIT_NODE_ID_SETTING,
+                EMIT_CLUSTER_NAME_SETTING,
+                EMIT_CLUSTER_UUID_SETTING,
                 INCLUDE_EVENT_SETTINGS,
                 EXCLUDE_EVENT_SETTINGS,
                 INCLUDE_REQUEST_BODY
@@ -1567,6 +1587,8 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
         settings.add(EMIT_HOST_NAME_SETTING);
         settings.add(EMIT_NODE_NAME_SETTING);
         settings.add(EMIT_NODE_ID_SETTING);
+        settings.add(EMIT_CLUSTER_NAME_SETTING);
+        settings.add(EMIT_CLUSTER_UUID_SETTING);
         settings.add(INCLUDE_EVENT_SETTINGS);
         settings.add(EXCLUDE_EVENT_SETTINGS);
         settings.add(INCLUDE_REQUEST_BODY);
@@ -1864,11 +1886,13 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
     static class EntryCommonFields {
         private final Settings settings;
         private final DiscoveryNode localNode;
+        private final ClusterService clusterService;
         final Map<String, String> commonFields;
 
-        EntryCommonFields(Settings settings, @Nullable DiscoveryNode newLocalNode) {
+        EntryCommonFields(Settings settings, @Nullable DiscoveryNode newLocalNode, ClusterService clusterService) {
             this.settings = settings;
             this.localNode = newLocalNode;
+            this.clusterService = clusterService;
             final Map<String, String> commonFields = new HashMap<>();
             if (EMIT_NODE_NAME_SETTING.get(settings)) {
                 final String nodeName = Node.NODE_NAME_SETTING.get(settings);
@@ -1891,16 +1915,42 @@ public class LoggingAuditTrail implements AuditTrail, ClusterStateListener {
             }
             // the default origin is local
             commonFields.put(ORIGIN_TYPE_FIELD_NAME, LOCAL_ORIGIN_FIELD_VALUE);
+            if (Lifecycle.State.STARTED.equals(clusterService.lifecycleState())) {
+                final ClusterState clusterState = this.clusterService.state();
+                if (clusterState == null) {
+                    LOGGER.trace("Cluster state not available");
+                } else {
+                    if (EMIT_CLUSTER_NAME_SETTING.get(settings)) {
+                        final String clusterName = clusterState.getClusterName().value();
+                        if (Strings.hasLength(clusterName)) {
+                            commonFields.put(CLUSTER_NAME_FIELD_NAME, clusterName);
+                        }
+                    }
+                    if (EMIT_CLUSTER_UUID_SETTING.get(settings)) {
+                        final String clusterUuId = clusterState.metadata().clusterUUID();
+                        if (Strings.hasLength(clusterUuId)) {
+                            commonFields.put(CLUSTER_UUID_FIELD_NAME, clusterUuId);
+                        }
+                    }
+                }
+            }
+            // Null value triggers LoggingAuditTrailTests.assertMsg to verify a key is absent in an audit log message.
+            commonFields.putIfAbsent(NODE_NAME_FIELD_NAME, null);
+            commonFields.putIfAbsent(NODE_ID_FIELD_NAME, null);
+            commonFields.putIfAbsent(HOST_ADDRESS_FIELD_NAME, null);
+            commonFields.putIfAbsent(HOST_NAME_FIELD_NAME, null);
+            commonFields.putIfAbsent(CLUSTER_NAME_FIELD_NAME, null);
+            commonFields.putIfAbsent(CLUSTER_UUID_FIELD_NAME, null);
             this.commonFields = Collections.unmodifiableMap(commonFields);
         }
 
         EntryCommonFields withNewSettings(Settings newSettings) {
             final Settings mergedSettings = Settings.builder().put(this.settings).put(newSettings, false).build();
-            return new EntryCommonFields(mergedSettings, this.localNode);
+            return new EntryCommonFields(mergedSettings, this.localNode, this.clusterService);
         }
 
         EntryCommonFields withNewLocalNode(DiscoveryNode newLocalNode) {
-            return new EntryCommonFields(this.settings, newLocalNode);
+            return new EntryCommonFields(this.settings, newLocalNode, this.clusterService);
         }
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/test/SecuritySettingsSource.java

@@ -163,6 +163,8 @@ public class SecuritySettingsSource extends NodeConfigurationSource {
             .put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), randomBoolean())
             .put("xpack.security.authc.realms." + FileRealmSettings.TYPE + ".file.order", 0)
             .put("xpack.security.authc.realms." + NativeRealmSettings.TYPE + ".index.order", "1")
             .put("xpack.license.self_generated.type", "trial");

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailFilterTests.java

@@ -10,9 +10,14 @@ import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.client.Client;
+import org.elasticsearch.cluster.ClusterName;
+import org.elasticsearch.cluster.ClusterState;
+import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.UUIDs;
+import org.elasticsearch.common.component.Lifecycle;
 import org.elasticsearch.common.settings.ClusterSettings;
 import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
@@ -79,13 +84,23 @@ public class LoggingAuditTrailFilterTests extends ESTestCase {
             .put(LoggingAuditTrail.EMIT_HOST_ADDRESS_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), randomBoolean())
+            .put(ClusterName.CLUSTER_NAME_SETTING.getKey(), randomAlphaOfLength(16))
             .put(LoggingAuditTrail.INCLUDE_REQUEST_BODY.getKey(), randomBoolean())
             .put(LoggingAuditTrail.INCLUDE_EVENT_SETTINGS.getKey(), "_all")
             .build();
         localNode = mock(DiscoveryNode.class);
         when(localNode.getHostAddress()).thenReturn(buildNewFakeTransportAddress().toString());
+        final ClusterState clusterState = ClusterState.builder(ClusterName.CLUSTER_NAME_SETTING.get(settings))
+            .metadata(Metadata.builder().clusterUUID(UUIDs.randomBase64UUID()).build())
+            .build();
         clusterService = mock(ClusterService.class);
         when(clusterService.localNode()).thenReturn(localNode);
+        when(clusterService.getClusterName()).thenReturn(ClusterName.CLUSTER_NAME_SETTING.get(settings));
+        when(clusterService.lifecycleState()).thenReturn(Lifecycle.State.STARTED);
+        when(clusterService.state()).thenReturn(clusterState);
         final ClusterSettings clusterSettings = mockClusterSettings();
         when(clusterService.getClusterSettings()).thenReturn(clusterSettings);
         Mockito.doAnswer((Answer) invocation -> {

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/audit/logfile/LoggingAuditTrailTests.java

@@ -15,12 +15,17 @@ import org.elasticsearch.action.bulk.BulkItemRequest;
 import org.elasticsearch.action.support.IndicesOptions;
 import org.elasticsearch.action.support.WriteRequest;
 import org.elasticsearch.client.Client;
+import org.elasticsearch.cluster.ClusterName;
+import org.elasticsearch.cluster.ClusterState;
+import org.elasticsearch.cluster.metadata.Metadata;
 import org.elasticsearch.cluster.node.DiscoveryNode;
 import org.elasticsearch.cluster.service.ClusterService;
 import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.UUIDs;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.common.component.Lifecycle;
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.network.NetworkAddress;
@@ -253,6 +258,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         patternLayout = null;
     }
 
+    // Test settings assertion flow: init() => new LoggingAuditTrail.EntryCommonFields() => commonFields => test*() => assertMsg()
     @Before
     public void init() throws Exception {
         includeRequestBody = randomBoolean();
@@ -261,6 +267,9 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EMIT_HOST_NAME_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_NODE_NAME_SETTING.getKey(), randomBoolean())
             .put(LoggingAuditTrail.EMIT_NODE_ID_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING.getKey(), randomBoolean())
+            .put(LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING.getKey(), randomBoolean())
+            .put(ClusterName.CLUSTER_NAME_SETTING.getKey(), randomAlphaOfLength(16))
             .put(LoggingAuditTrail.INCLUDE_REQUEST_BODY.getKey(), includeRequestBody)
             .put(XPackSettings.RESERVED_REALM_ENABLED_SETTING.getKey(), reservedRealmEnabled)
             .put(AnonymousUser.USERNAME_SETTING.getKey(), customAnonymousUsername)
@@ -271,8 +280,14 @@ public class LoggingAuditTrailTests extends ESTestCase {
         when(localNode.getAddress()).thenReturn(buildNewFakeTransportAddress());
         Client client = mock(Client.class);
         SecurityIndexManager securityIndexManager = mock(SecurityIndexManager.class);
+        final ClusterState clusterState = ClusterState.builder(ClusterName.CLUSTER_NAME_SETTING.get(settings))
+            .metadata(Metadata.builder().clusterUUID(UUIDs.randomBase64UUID()).build())
+            .build();
         clusterService = mock(ClusterService.class);
         when(clusterService.localNode()).thenReturn(localNode);
+        when(clusterService.getClusterName()).thenReturn(ClusterName.CLUSTER_NAME_SETTING.get(settings));
+        when(clusterService.lifecycleState()).thenReturn(Lifecycle.State.STARTED);
+        when(clusterService.state()).thenReturn(clusterState);
         Mockito.doAnswer((Answer) invocation -> {
             final LoggingAuditTrail arg0 = (LoggingAuditTrail) invocation.getArguments()[0];
             arg0.updateLocalNodeInfo(localNode);
@@ -285,6 +300,8 @@ public class LoggingAuditTrailTests extends ESTestCase {
                 LoggingAuditTrail.EMIT_HOST_NAME_SETTING,
                 LoggingAuditTrail.EMIT_NODE_NAME_SETTING,
                 LoggingAuditTrail.EMIT_NODE_ID_SETTING,
+                LoggingAuditTrail.EMIT_CLUSTER_NAME_SETTING,
+                LoggingAuditTrail.EMIT_CLUSTER_UUID_SETTING,
                 LoggingAuditTrail.INCLUDE_EVENT_SETTINGS,
                 LoggingAuditTrail.EXCLUDE_EVENT_SETTINGS,
                 LoggingAuditTrail.INCLUDE_REQUEST_BODY,
@@ -297,7 +314,14 @@ public class LoggingAuditTrailTests extends ESTestCase {
             )
         );
         when(clusterService.getClusterSettings()).thenReturn(clusterSettings);
-        commonFields = new LoggingAuditTrail.EntryCommonFields(settings, localNode).commonFields;
+        // This constructor call is a filter. It uses emit settings to use (or ignore) common fields for all audit logs.
+        final LoggingAuditTrail.EntryCommonFields entryCommonFields = new LoggingAuditTrail.EntryCommonFields(
+            settings,
+            localNode,
+            clusterService
+        );
+        // This filtered map contains audit log assertions to be used by all tests during calls to assertMsg(). Null values assert absence.
+        commonFields = entryCommonFields.commonFields;
         threadContext = new ThreadContext(Settings.EMPTY);
         if (randomBoolean()) {
             threadContext.putHeader(Task.X_OPAQUE_ID, randomAlphaOfLengthBetween(1, 4));
@@ -559,7 +583,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_apikey")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedCreateKeyAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedCreateKeyAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -607,7 +631,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_apikey")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedGrantKeyAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedGrantKeyAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -640,7 +664,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_role")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedPutRoleAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedPutRoleAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -668,7 +692,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_role")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDeleteRoleAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDeleteRoleAuditEventString, checkedFields.map());
     }
 
     public void testSecurityConfigChangeEventFormattingForApiKeyInvalidation() throws IOException {
@@ -733,7 +757,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "invalidate_apikeys")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedInvalidateKeyAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedInvalidateKeyAuditEventString, checkedFields.map());
     }
 
     public void testSecurityConfigChangeEventFormattingForApplicationPrivileges() throws IOException {
@@ -802,7 +826,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_privileges")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedPutPrivilegesAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedPutPrivilegesAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
         DeletePrivilegesRequest deletePrivilegesRequest = new DeletePrivilegesRequest(
@@ -852,7 +876,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_privileges")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDeletePrivilegesAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDeletePrivilegesAuditEventString, checkedFields.map());
     }
 
     public void testSecurityConfigChangeEventFormattingForRoleMapping() throws IOException {
@@ -969,7 +993,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_role_mapping")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedPutRoleMappingAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedPutRoleMappingAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1000,7 +1024,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_role_mapping")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDeleteRoleMappingAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDeleteRoleMappingAuditEventString, checkedFields.map());
     }
 
     public void testSecurityConfigChangeEventFormattingForUsers() throws IOException {
@@ -1079,7 +1103,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "put_user")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedPutUserAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedPutUserAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1102,7 +1126,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_enable_user")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedEnableUserAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedEnableUserAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1125,7 +1149,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_disable_user")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDisableUserAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDisableUserAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1150,7 +1174,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "change_password")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedChangePasswordAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedChangePasswordAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1171,7 +1195,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_user")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDeleteUserAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDeleteUserAuditEventString, checkedFields.map());
     }
 
     public void testSecurityConfigChangeEventFormattingForServiceAccountToken() {
@@ -1219,7 +1243,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "create_service_token")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedCreateServiceAccountTokenAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedCreateServiceAccountTokenAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1259,7 +1283,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.EVENT_TYPE_FIELD_NAME, "security_config_change")
             .put(LoggingAuditTrail.EVENT_ACTION_FIELD_NAME, "delete_service_token")
             .put(LoggingAuditTrail.REQUEST_ID_FIELD_NAME, requestId);
-        assertMsg(generatedDeleteServiceAccountTokenAuditEventString, checkedFields.immutableMap());
+        assertMsg(generatedDeleteServiceAccountTokenAuditEventString, checkedFields.map());
         // clear log
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
     }
@@ -1279,7 +1303,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         restOrTransportOrigin(request, threadContext, checkedFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1314,7 +1338,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         }
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1346,7 +1370,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1373,7 +1397,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1420,7 +1444,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         }
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1462,7 +1486,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         }
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1499,7 +1523,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
     }
 
     public void testAuthenticationFailedRealmRest() throws Exception {
@@ -1543,7 +1567,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         }
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
     }
 
     public void testAccessGranted() throws Exception {
@@ -1568,7 +1592,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1588,7 +1612,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1692,7 +1716,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
         clearLog();
 
         String index = randomFrom(randomAlphaOfLengthBetween(1, 4), null);
@@ -1722,7 +1746,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         if (index != null) {
             checkedArrayFields.put(LoggingAuditTrail.INDICES_FIELD_NAME, new String[] { index });
         }
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
     }
 
     public void testAccessGrantedInternalSystemAction() throws Exception {
@@ -1755,7 +1779,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
     }
 
     public void testAccessGrantedInternalSystemActionNonSystemUser() throws Exception {
@@ -1779,7 +1803,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1799,7 +1823,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1836,7 +1860,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1856,7 +1880,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1895,7 +1919,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         }
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1922,7 +1946,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -1951,7 +1975,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -1970,7 +1994,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -2001,7 +2025,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.RULE_FIELD_NAME, "deny _all");
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -2039,7 +2063,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
             .put(LoggingAuditTrail.RULE_FIELD_NAME, "allow default:accept_all");
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
     }
 
     public void testRunAsGranted() throws Exception {
@@ -2070,7 +2094,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -2107,7 +2131,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         // test disabled
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
@@ -2158,7 +2182,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         authentication(authentication, checkedFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -2183,7 +2207,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         authentication(authentication, checkedFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap());
+        assertMsg(logger, checkedFields.map());
     }
 
     public void testAuthenticationSuccessTransport() throws Exception {
@@ -2211,7 +2235,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
 
         CapturingLogger.output(logger.getName(), Level.INFO).clear();
 
@@ -2230,7 +2254,7 @@ public class LoggingAuditTrailTests extends ESTestCase {
         indicesRequest(request, checkedFields, checkedArrayFields);
         opaqueId(threadContext, checkedFields);
         forwardedFor(threadContext, checkedFields);
-        assertMsg(logger, checkedFields.immutableMap(), checkedArrayFields.immutableMap());
+        assertMsg(logger, checkedFields.map(), checkedArrayFields.map());
     }
 
     public void testRequestsWithoutIndices() throws Exception {