When viewing the Audit Log page under Tools, I see a list of permitted / blocked queries. I read through the article written here, and it sounds like if I click "Audit" next to the domain, it is removed from the list and added to /etc/pihole/auditlog.list.
Tried this out with a few domains, for some reason it seems to be whitelisting them instead of adding them to the auditlog.list file. I clicked "Audit" on 5 different domains, pulled up /etc/pihole/auditlog.list, but it had no entries. After that I went to Group Management - Domains, and I see entries on that page for the domains I had clicked "Audit" on. It shows the domain, type as "Exact Whitelist", with a comment of "Added from audit log". I'd expect to see those there if I had clicked on Whitelist...but I clicked Audit, not Whitelist.
Am I missing something? Is this the expected behavior?
Expected Behaviour:
Domain is added to /etc/pihole/auditlog.list when selecting "Audit" on the Audit Log page.
Actual Behaviour:
Domain is added to whitelist, no entry is created in /etc/pihole/auditlog.list
/etc/pihole/auditlog.list is deprecated since pihole v5. Instead, the gravity.db is used.
Additionally, there is currently a bug with the audit log, which lead to the behavior you see. This will be fixed in the next release.