How to implement "immutable indices"?

Hi

We are using platinum subscription for our "elastic" stack from "elastic.co" and we are informed that they do not support "immutable indices" for our subscription. We are using the elasticsearch version 7.17.5 with our agents - file, audit and metric beats as 7.10.2. Can someone help us with implementing the "immutable indices" with what we have now?

Can you elaborate a little more on what you are trying to achieve and what you mean by immutable as it applies to Elasticsearch?

Hi Mark,

It is this:

Once a index is created in Kibana, we don't want any one to modify the index or the document or a record in the logs that flows into Kibana.

Now the normal index will change to "immutable" - no one can change anything , even delete the index.

Does this configuration needs to be done in the "elasticsearch.yml" settings? or what steps do I need to follow to make any index an "immutable index"?

Make it read only?

2 Likes

Hi Mark,

Our requirement is the index should be loaded into Kibana, but it should not be modified by anyone.

When we do the "read only", even with the "super user" access to Kibana, we are not able to see the the logs itself in Kibana as attached.

We should also see the logs in kibana, but should not be able to modify it. This is our requirement.

We used the API command "PUT /<index_name>/_block/read_only. Attached screenshot for reference.

Are you constantly writing in the index? If you are constantly writing then you can not set it to read only.

You should set the index to read only if you will not add anything to the index as this will block new documents from being write.

You can set up different RBAC on indices depending on what the need for that user / API is.

Example

  • Filebeat can have write privileges and continue to write logs to an index / data stream etc.
  • But the End Users that log into Kibana can be assigned Read Roles for those indices so they can not update documents.