Audit collector does not collect audit data

tkgesis · January 24, 2018, 3:15pm

Hello,
our setup consists of elasticsearch 2.4.4 running on a 1.8.0_121 JVM and with readonlyrest version 1.16.15_es2.4.4.

The access protection works as expected, we can see the colored readonlyrest warnings and info messages in the elasticsearch log file.

And every day, a new audit log index with a name such as ‘readonlyrest_audit-2018-01-20’ is created.

But theses indices remain empty.

readonlyrest:
    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    audit_collector: true

    access_control_rules:

    - name: ":: common user::"
      indices: ["dc"]
      actions: ["indices:data/read/*"]

    - name: "::KIBANA USER::"
      type: allow
      kibana_access: rw
      indices: [".kibana", ".kibana*", "dc*"]

    - name: "Global Access"
      auth_key: "user:pass"
      verbosity: "error"

Is the audit collector feature available for these older versions of elasticsearch?
What is the typical reason, if audit logs are not ingested into the corresponding indices?

Regards,
Thomas

sscarduzio · January 24, 2018, 5:18pm

Yeah this is a bug in 2.x unfortunately, which does not receive much attention because it’s super old.
Do you guys have any plan to migrate to a newer version?

tkgesis · January 25, 2018, 9:12am

Well, 2.4.0 was released August 2016

We were waiting for spring-data-elasticsearch to be released…

…which just happened yesterday

So which ROR and ES versions are the first ones supporting this feature?

sscarduzio · January 25, 2018, 4:04pm

@tkgesis all the 6.x and 5.x family - I recommend 5.5.0 onwards.