I have a scenario where I need to record if an admin deletes an index or a record from an index. Is this possible? I enabled the opendistro audit and tested to delete an index but it didn’t show up in my esaudit index. I can however see data flowing in to the esaudit in relation to Transport SSL, meaning the audit functionality is working.
I setup audit with the following config:
Is there additional config that I can add to track what the users does once they have authenticated.
Additional info: I used a simple curl with the -u to delete the index.
Thanks for any help!