Audit for a single index

Hello,
I’d need to activate an access log for a single index (eni-index2audit), and thought ROR Audit would be ideal for this purpose.
Could it be done from the RoR configuration (ACLs, users)? Any suggestion on how to do it?
The index currently is in an ACL with many others (eni-*), with read-access from a rather large group of users.

Otherwise, I’d add to ror audit index(es) a pipeline that drops anything but the documents with “eni-index2audit” in “indices” (it works in test, but elastic logfiles get cluttered, removing the “verbosity” clause from the ACL definition)

( elk 7.17.9, ror 1.64.2 )
Thank you in advance,
Paolo Arosio

Expected behaviour

— Simple way to configure RoR —

Technical details

ROR version: "1.64.2"
ES version: "7.17.9"

Logs and config files

• Logs and config files are irrelevant to the issue

{“customer_id”: “00f37b10-010a-434e-b314-f2548c94b5ba”, “subscription_id”: “d67f3833-f8e1-46b4-878f-2261b35cf9ab”}

Hi @parosio

The ROR Audit logs information about how Elasticsearch REST API requests are handled. However, not all Elasticsearch requests are directly tied to specific indices. That’s why ROR Audit operates primarily at the block level—meaning it audits requests based on which ACL block was matched, rather than specific indices.

So, whether this is possible depends on the structure of your current ACL configuration.

Would it help if you could define something like:

“If this block is matched, generate an audit log entry for the request”?