I have enabled auditing in elasticsearch using readonlyrest plugin but i am unable to see any logs of the queries I make on es indices.
Can someone help here?
We sure can help, can you show how you configured the readonlyrest.yml?
name: “Block 1 - All indices are accessible”
name: “Block 2 - Allowing anything from localhost”
name: “Block 3 - Other hosts can only read certain indices”
This is my readonlyrest.yml
YAML is very sensitive to indentation. The way you pasted your YAML either did not preserve the original indentation.
Because you did not use the code button (the one that looks like this:
</>) while composing the message, the formatting has not been preserved. So now I have no elements to understand if you have YAML indentation issues.
For context, this is how it should look like:
readonlyrest: audit_collector: true access_control_rules: - name: Kibana type: allow auth_key: kibana:kibana verbosity: error
Hi,during pasting the code indentation got lost,though in actual file it is properly indented ,the way you said
- Do you have any exceptions in elasticsearch.log?
- Did you have any pre-existing audit index in your cluster?
- You did not tell us what version of ROR and ES are you using!
Also, can you edit your post and write the configuration you have with the right indentation? Not that I don’t trust you, but:
a) to be readable and provide reference to the people that come here from google searches
b) maybe we can spot something you didn’t notice