Audit log behavior when lost ES connection


(mdnuts) #1

I’ve got my ROR set for

audit_collector: true
audit_index_template: “‘readonlyrest_audit’-yyyy”

Which works pretty decently (however I noticed there’s no way to lower shards from 5 to 1). But if connectivity is lost to the ES cluster, upon it’s re-connection indexes are created with the default readonlyrest_audit-yyyy-mm-dd, the following day it reverts back to readonlyrest_audit’-yyyy


(Simone Scarduzio) #2

Oh interesting bug! Will add it in backlog. Most likely at the end of this week, beginning next week will be handled.


(Mateusz Kołodziejczyk) #3

did you check the newest version of ROR?


(mdnuts) #4

unless there’s a new one since 4/22?


(Simone Scarduzio) #5

We released 1.17.6 very recently. It contains a rewrite of the majority of the code (including the audit log part)


(mdnuts) #6

I should have mentioned that.

i’ve got 1.17.6-pre1-20190422_es6.7.1


(Mateusz Kołodziejczyk) #7

@sscarduzio could you confirm that version mentioned above contains old core? Or maybe there is already the new one?


(Simone Scarduzio) #8

This looks like the file name of a kibana plugin package. We are interested in the Elasticsearch plugin.

I.e. from your elasticsearch folder:

elasticsearch-7.0.0 $ grep version= plugins/readonlyrest/*properties
version=1.17.6
java.version=1.8
elasticsearch.version=7.0.0

(mdnuts) #9

ahh, I had 1.7.5 but this morning upgraded both KBN and ES to 1.7.6 production - I can test it tonight.


(Mateusz Kołodziejczyk) #10

@mdnuts do you experience the same issue with 1.7.6?


(mdnuts) #11

yep, still created the readonlyrest_audit-yyyy-mm-dd index then resumed with the intended readonlyrest_audit-yyyy index once the new day started.