our setup consists of elasticsearch 2.4.4 running on a 1.8.0_121 JVM and with readonlyrest version 1.16.15_es2.4.4.
The access protection works as expected, we can see the colored readonlyrest warnings and info messages in the elasticsearch log file.
And every day, a new audit log index with a name such as ‘readonlyrest_audit-2018-01-20’ is created.
But theses indices remain empty.
readonlyrest: response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin audit_collector: true access_control_rules: - name: ":: common user::" indices: ["dc"] actions: ["indices:data/read/*"] - name: "::KIBANA USER::" type: allow kibana_access: rw indices: [".kibana", ".kibana*", "dc*"] - name: "Global Access" auth_key: "user:pass" verbosity: "error"
Is the audit collector feature available for these older versions of elasticsearch?
What is the typical reason, if audit logs are not ingested into the corresponding indices?