SOLVED - Audit log documents not available in Dashboards Discover

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

v2.11.1

Describe the issue:

I need to enable audit logging in OpenSearch Dashboards but I cannot select the corresponding index in Discover. The logs are available through the API.

Configuration:

Audit logging is generally enabled:

There are daily indices:

GET _cat/indices looks good:

green open .ql-datasources 0EHyIVX_RXqlYDq1Ylj43g 1 0 0 0 208b 208b
green open .opendistro_security usAsRx4yTb2krSCHqMcg4g 1 0 10 1 51.8kb 51.8kb
green open security-auditlog-2024.02.27 8WU345e_Sb-FmctVuz-3kg 1 0 1341 0 2.8mb 2.8mb
green open .opensearch-observability c5sdUdbHQYKTdkyMizABmw 1 0 0 0 208b 208b
green open security-auditlog-2024.02.26 lqWZh21PTJ2KuL3uEOq1Ow 1 0 1102 0 2.1mb 2.1mb
green open security-auditlog-2024.02.25 3KH-RUDVRN2u6Yx7gDpKHQ 1 0 42 0 135.5kb 135.5kb
green open .opensearch_dashboards_1 n-3CqGwYRFWkBfk7qnhdBw 1 0 2 0 13.2kb 13.2kb
green open security-auditlog-2024.02.20 7VK4SGI-R9SKaUHwtG5DCg 1 0 21 0 193.7kb 193.7kb
green open security-auditlog-2024.02.24 KHtzAmUTTGGq2gJYzaWwsA 1 0 34 0 172.6kb 172.6kb
green open security-auditlog-2024.02.23 aB6LhjCSTTa6OK_ZHWWW9A 1 0 39 0 116kb 116kb
green open security-auditlog-2024.02.22 Y1OKtA_uQjW_YiBd89s0gA 1 0 49 0 138.9kb 138.9kb
green open security-auditlog-2024.02.21 0NkzpzyFSHCrEAA9GPwvTA 1 0 39 0 100.9kb 100.9kb

There are event search results (partially redacted) when querying the API:

{
“took”: 2,
“timed_out”: false,
“_shards”: {
“total”: 36,
“successful”: 36,
“skipped”: 0,
“failed”: 0
},
“hits”: {
“total”: {
“value”: 3957,
“relation”: “eq”
},
“max_score”: 1,
“hits”: [
{
“_index”: “security-auditlog-2024.01.22”,
“_id”: “gsoHMo0BXr9Y3dC0T6k-”,
“_score”: 1,
“_source”: {
“audit_cluster_name”: “siem”,
“audit_transport_headers”: {
“X-Opaque-Id”: “ef47e23a-304e-445d-9a1b-bab02da86d11”
},
“audit_node_name”: “siem.example.com”,
“audit_trace_task_id”: “GUHWwC-0QpOv3cudZTS0sg:4506”,
“audit_transport_request_type”: “Request”,
“audit_category”: “INDEX_EVENT”,
“audit_request_origin”: “REST”,
“audit_node_id”: “GUHWwC-0QpOv3cudZTS0sg”,
“audit_request_layer”: “TRANSPORT”,
“@timestamp”: “2024-01-22T16:35:56.349+00:00”,
“audit_format_version”: 4,
“audit_request_remote_address”: “10.y.y.7”,
“audit_request_privilege”: “indices:admin/data_stream/get”,
“audit_node_host_address”: “10.x.x.x”,
“audit_request_effective_user”: “user@example.com”,
“audit_trace_resolved_indices”: [
“.opensearch-observability”,
“.ql-datasources”,
“.opendistro_security”,
“.opensearch_dashboards_1”,
“security-auditlog-2024.01.22”,
“.plugins-ml-config”
],
“audit_node_host_name”: “10.x.x.x”
}
}

But nothing in Discover. I have only one other index which is the only one I can choose from the dropdown in Discover.

QUESTION: What am I missing here?

Relevant Logs or Screenshots:

see inline.

Never mind. Got it.

As some might suspect, it was the Index Patterns settings. I considered it covered with this:

But in fact there needs also an Index Pattern under Dashboard Management - Index Patterns.

1 Like