Cannot find document deletion query registration in readonlyrest audit index

Hi everyone, we were trying to find out where does the plugin logs the document deletion from indices. Could you help me with this?

If you need more information, please let me know.

We executed the query de Dev tools:

POST INDEX/_delete_by_query
{
  "query": {
    "bool": {
      "must": [
        {
          "query_string": {
            "query": "some string to search"
          }
        }
      ]
    }
  }
}

But we couldn’t find anything within the indices readonlyrest_audit-*

Configuration

ReadonlyRest Plugin version: Enterprise 1.61.1_es7.17.26

ReadonlyRest Plugin file /etc/elasticsearch/readonlyrest.yaml:

readonlyrest:
  audit_collector: true
  audit_index_template: "'readonlyrest_audit'-yyyy-MM"
  prompt_for_basic_auth: false 
  ...

Edit: I removed access_control_rules: from the example file. It seemed to me that doesn’t help for this troubleshooting of this issue.

Hi @nicoformoso

I assume the request is allowed by the “User” block. It won’t be audited because the verbosity level for this block is error. For this block ALLOWED request won’t be audited. Remove the verbosity rule, and you will find the proper entry in the .readonlyrest_audit… index. This is how the DefaultAuditLogSerializer works.

1 Like

Oh, I see I dropped useful lines in my edition, then.

Thanks, I’ll be testing this out.