Set Readonlyrest_audit index


(Marcus Caepio) #1

Hi @sscarduzio
For Rollover of the readonlrest_audits we want to use an alias instead of the default readonlyrest_audit-YYYY-MM-DD.
Where do we set the index name?

Regards,
Marcus


(Simone Scarduzio) #2

Actually this can be a default strategy for ROR! What do others think?


(Hagen Montag) #3

a configurable index name (leading dot) was perfect for me


(Simone Scarduzio) #4

Yes but now we have automatic suffix of the index name with year-month-day. Would you throw away that feature?

The other option i was envisioning is to make ROR clean up after itself by deleting old audit logs with a default of 2 weeks or so.


(Marcus Caepio) #5

Not throw away, but make it default. And in the ROR settings, the option audit_log_index: xyz is given. I would not delete audit logs automatically as long as one can decide, how long he will keep it. Could be a case, that one will keep the logs for longer than 2 weeks.

What I wanted to do, is written here:


(Ela) #6

Yes, having the ability to configure the prefix of the audit index name would be helpful.
But if the audit_log_index=xyz, then the indices should still have YYYY-MM-DD suffix, and then we could have the xyz alias that points to all xyz-* indices (for searching purposes).
Re: cleanup - this should not be a default behaviour (as @MarcusCaepio said, one may want to / need to keep audit logs for longer)


(Marcus Caepio) #7

@elaPa exactly what I thought


(Simone Scarduzio) #8

Hello everyone, I just committed a change that permits you to specify the index name template, and with it the time-granularity of the audit logs i.e. one daily, hourly, yearly or monthly index.

Example:

readonlyrest:
  audit_collector: true
  audit_index_template: "'custom-prefix'-yyyy-MM"  # <--monthly pattern

This will be available in ROR Free for Elasticsearch 1.16.20


Roll up/Clean Up - ROR Audit indices
(Askids) #9

@sscarduzio does this also support providing the number of shards to be used per index? Since using different intervals may lead to different size of collected log, having the option to provide the number of shards can be useful.


(Simone Scarduzio) #10

@askids No, but you can achieve that with index templates, right?


(Askids) #11

Yes. It should be. But now that we support all ROR config in separate file, I was wondering, if we want to really split this configuration as its still related to ROR indexes? From my perspective, it makes sense to keep all ROR config together.