Recommended log level strategy for security monitoring in RabbitMQ 4.1.0

[Rahul Manoj]

Hi Team,

I’m configuring RabbitMQ 4.1.0 (Open Source) and reviewing logging from a security monitoring and audit perspective.

Below is the configuration i am planning on setting up:
log.file = /var/log/rabbitmq/rabbit.log
log.file.level = info
log.file.formatter = text
log.file.rotation.date = $D0
log.file.rotation.count = 10
log.file.rotation.compress = true

# Security-relevant categories
log.connection.level = warning
log.channel.level = warning
log.queue.level = warning
log.federation.level = warning
log.upgrade.level = warning
log.default.level = warning

  I have a few specific questions:

1. From a security monitoring perspective, does this configuration ensure that authentication failures, unauthorized access attempts, and connection-level security events are fully captured?  
2. Is there any advantage (or risk) in setting the global log.file.level to warning instead of info, while keeping the security-related categories, (eg: log.connection.level, etc.) at warning? In other words, would setting the global level to warning suppress any useful operational or security context that might appear at the info level?
3.   Are there any best practices or official recommendations for balancing verbosity and visibility in RabbitMQ logs for SIEM or centralized monitoring use cases?  
   Any insights or references to official guidance would be appreciated.  
   Thanks & Regards,
   Rahul