In my elastic cluster, I see there are some records in docs.deleted for some of the indices, and I am not sure how to find out who deleted the docs?
My 3 node elastic cluster version is 7.16.1 and it is Not an enterprise version, and we are using a free opensource version.
I tried enabling xpack.security.audit.enabled in elastic config on all nodes and restarted cluster, and manually deleted records to check if its getting logged, but its not writing anything in the audit log file.
Is the auditing feature is available ONLY on the enterprise version?
Can anyone please help me how to find out the docs.deleted data?