Hi ,
I have enabled auditing in elasticsearch using readonlyrest plugin but i am unable to see any logs of the queries I make on es indices.
Can someone help here?
readonlyrest:
audit_collector: true
access_control_rules:
-
name: Kibana
type: allow
auth_key: kibana:kibana-
name: “Block 1 - All indices are accessible”
type: allow
indices: ["*"] -
name: “Block 2 - Allowing anything from localhost”
hosts: [127.0.0.1] -
name: “Block 3 - Other hosts can only read certain indices”
actions: [“indices:data/read/"]
indices: ["”]
-
This is my readonlyrest.yml
Hi @tanyashah,
YAML is very sensitive to indentation. The way you pasted your YAML either did not preserve the original indentation.
Because you did not use the code button (the one that looks like this: </>) while composing the message, the formatting has not been preserved. So now I have no elements to understand if you have YAML indentation issues.
For context, this is how it should look like:
readonlyrest:
audit_collector: true
access_control_rules:
- name: Kibana
type: allow
auth_key: kibana:kibana
verbosity: errorHi,during pasting the code indentation got lost,though in actual file it is properly indented ,the way you said
- Do you have any exceptions in elasticsearch.log?
- Did you have any pre-existing audit index in your cluster?
- You did not tell us what version of ROR and ES are you using!
Also, can you edit your post and write the configuration you have with the right indentation? Not that I don’t trust you, but:
a) to be readable and provide reference to the people that come here from google searches
b) maybe we can spot something you didn’t notice