Hello,
I have a scenario where I need to record if an admin deletes an index or a record from an index. Is this possible? I enabled the opendistro audit and tested to delete an index but it didn’t show up in my esaudit index. I can however see data flowing in to the esaudit in relation to Transport SSL, meaning the audit functionality is working.
I setup audit with the following config:
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.audit.config.index: “'esaudit-'YYYY.MM.dd”
opendistro_security.audit.ignore_users: NONE
Is there additional config that I can add to track what the users does once they have authenticated.
Additional info: I used a simple curl with the -u to delete the index.
Thanks for any help!