How to trace/log all delete action

I have a shared ELK in my Enterprise and we need to trace/log 2 type of action :

  1. Delete Index by API DELETE Call
  2. Delete doc by Delete_by_query

I try without success with Audit and slowlog.
Is there a way to have this information?

PS : ELK 7.5.1 with Basic License

Audit log is the easiest way to go IMO but you need a Gold+ license (Subscriptions | Elastic Stack Products & Support | Elastic).

Otherwise you can:

  • Do that in your application and log when your application is calling those APIs
  • Enable slow log but this can lead to a lot of data
  • Add a proxy (like ngnix) on top of your elasticsearch instances

May be others have nice ideas?