Audit - tracking users working deleting index


I have a scenario where I need to record if an admin deletes an index or a record from an index. Is this possible? I enabled the opendistro audit and tested to delete an index but it didn’t show up in my esaudit index. I can however see data flowing in to the esaudit in relation to Transport SSL, meaning the audit functionality is working.

I setup audit with the following config:

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.config.index: “'esaudit-'YYYY.MM.dd”
opendistro_security.audit.ignore_users: NONE

Is there additional config that I can add to track what the users does once they have authenticated.

Additional info: I used a simple curl with the -u to delete the index.

Thanks for any help!

1 Like


opendistro guys, please answer


1 Like

Hi @mato, @Xyrion - can you please also ask / file an issue at Issues · opendistro-for-elasticsearch/security · GitHub. Our engineers monitor issues actively on GitHub.

@alolitas, Thanks! I have done that now.

Hi @alolitas

i just did: audit not working for e.g. delete index or query index … only for failed login

for others with my problem, finally i went with Monitoring Elasticsearch Search Queries | Elastic Blog ssl from client browser to kibana and then clear http from kibana to elasticsearch (same server). Packetbeat, max message 20k.