Cannot find document deletion query registration in readonlyrest audit index

nicoformoso · May 21, 2025, 4:59pm

Hi everyone, we were trying to find out where does the plugin logs the document deletion from indices. Could you help me with this?

If you need more information, please let me know.

We executed the query de Dev tools:

POST INDEX/_delete_by_query
{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "some string to search"
          }
        }
      ]
    }
  }
}

But we couldn’t find anything within the indices readonlyrest_audit-*

Configuration

ReadonlyRest Plugin version: Enterprise 1.61.1_es7.17.26

ReadonlyRest Plugin file /etc/elasticsearch/readonlyrest.yaml:

readonlyrest:
  audit_collector: true
  audit_index_template: "'readonlyrest_audit'-yyyy-MM"
  prompt_for_basic_auth: false 
  ...

Edit: I removed access_control_rules: from the example file. It seemed to me that doesn’t help for this troubleshooting of this issue.

coutoPL · May 21, 2025, 6:34pm

Hi @nicoformoso

I assume the request is allowed by the “User” block. It won’t be audited because the verbosity level for this block is error. For this block ALLOWED request won’t be audited. Remove the verbosity rule, and you will find the proper entry in the .readonlyrest_audit… index. This is how the DefaultAuditLogSerializer works.

nicoformoso · May 21, 2025, 7:39pm

Oh, I see I dropped useful lines in my edition, then.

Thanks, I’ll be testing this out.