Invalid action name [cluster:ror/audit_event/put]

Hi,

any idea, why I get an invalid action name [cluster:ror/audit_event/put], there is no action name like this in the config and I have tried to enable audit events, but nothing happened.

I am using the free version of readonlyrest 1.35.0_es7.10.2.

Thanks a lot and regards,

Olaf

Interesting, do you mind sharing the logs and your readonlyrest YAML?

Thanks a lot

[2022-08-10T08:36:07,568][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/refreshsettings] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,624][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/user_metadata/get] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,658][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/manage] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,659][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/config/manage[n]] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]
[2022-08-10T08:36:07,708][WARN ][o.e.t.TransportService   ] [es-client-697dff555d-b64g9]invalid action name [cluster:ror/audit_event/put] must start with one of: [cluster:admin, indices:data/read, indices:monitor, indices:data/write, internal:, indices:internal, cluster:monitor, cluster:internal, indices:admin]

There a no more logs, except this.

my readonlyrest config for the client nodes for example is here:

This is set:

audit:
  collector: true

Regards,

Olaf

ES warns that our internal action names don’t follow their naming criteria. I understand it can be misleading.

We have a Jira for it. We have to analyze the consequences of the actions’ name changes or figure out how to do it in a backward compatible way.

At the moment you can ignore it.

but if I enable audit collector and no new index is created, no error and I connect with the jaeger user and no entry at all, looks like I am doing something wrong. Why is there no index created for the audit entries?

Regards,

Olaf

Maybe you don’t have permissions to see those indices? Try to force the name of the indices with

readonlyrest:
  audit:
    collector: true
    index_template: "'some-prefix-you-have-permissions-for'-yyyy-MM"