How can you monitor user queries when using SSL

ES version: 7.4.2
12 data nodes
We have RBAC and SSL for HTTP and for node communication.

We are getting queries ran against our cluster that are causing circuit breakers errors. Is there anything we can do to to track down what user or account are running these queries?

Somewhat indirectly, the audit logs list all indexes in access granted. So, for example, someone using beat will have a larger list than someone using filebeat.

Other posts describe a hack of setting the log long query time limit to 0 so all queries show in the slow log, but I've never done that myself.

I have turned on slow logging, with the level of info. Although I can not find where it lists the userID of whom is making the queries.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.