Immutable indices

I am using OpenSearch as a part of my Wazuh installation. In order to ensure integrity of the logs in the database, I wanted to make the default indices, wazuh-alerts-*, as append-only. This way I could guarantee that logs are not modified by an attacker, either internal or external. Of course, indice management policy can and should modify the indices to cold state and delete the logs, as the only exception.

But until now, I can only find that a 3rd party can provide the immutable index capability. Is it possible to configure it using native capabilities like permissions and other advanced configurations?

@zbalkan Try the below. I’ve tested it yesterday and it worked.
- indexa

It’s not documented in OpenSearch documentation but you can find it through GitHub.

You could report a documentation bug in GitHub. If you do, please share the link here.

Hi Pablo. What you manage to find out is a great finding. I’ll test it out and create a new issue. Thanks for the update.