Audit log behavior when lost ES connection

I’ve got my ROR set for

audit_collector: true
audit_index_template: “‘readonlyrest_audit’-yyyy”

Which works pretty decently (however I noticed there’s no way to lower shards from 5 to 1). But if connectivity is lost to the ES cluster, upon it’s re-connection indexes are created with the default readonlyrest_audit-yyyy-mm-dd, the following day it reverts back to readonlyrest_audit’-yyyy

Oh interesting bug! Will add it in backlog. Most likely at the end of this week, beginning next week will be handled.

did you check the newest version of ROR?

unless there’s a new one since 4/22?

We released 1.17.6 very recently. It contains a rewrite of the majority of the code (including the audit log part)

I should have mentioned that.

i’ve got 1.17.6-pre1-20190422_es6.7.1

@sscarduzio could you confirm that version mentioned above contains old core? Or maybe there is already the new one?

This looks like the file name of a kibana plugin package. We are interested in the Elasticsearch plugin.

I.e. from your elasticsearch folder:

elasticsearch-7.0.0 $ grep version= plugins/readonlyrest/*properties

ahh, I had 1.7.5 but this morning upgraded both KBN and ES to 1.7.6 production - I can test it tonight.

1 Like

@mdnuts do you experience the same issue with 1.7.6?

yep, still created the readonlyrest_audit-yyyy-mm-dd index then resumed with the intended readonlyrest_audit-yyyy index once the new day started.

This should be fixed in 1.18.2 released today.