How to view docs.deleted data

KrishnaCh · September 29, 2022, 1:48pm

Hi All,
In my elastic cluster, I see there are some records in docs.deleted for some of the indices, and I am not sure how to find out who deleted the docs?
My 3 node elastic cluster version is 7.16.1 and it is Not an enterprise version, and we are using a free opensource version.

I tried enabling xpack.security.audit.enabled in elastic config on all nodes and restarted cluster, and manually deleted records to check if its getting logged, but its not writing anything in the audit log file.

Is the auditing feature is available ONLY on the enterprise version?

Can anyone please help me how to find out the docs.deleted data?

Christian_Dahlqvist · September 29, 2022, 2:01pm

The audit log feature requires a platinum or higher license.

That is not possible. Be aware that updates show up as a index and a delete, so it is not becessary that any documents have been deleted.

KrishnaCh · September 29, 2022, 2:29pm

Thank you Christian for your response.

Okay. Noted.

Okay, so do you mean that if same document when indexed again, will result as updates, and it will do a delete and index That document again? Is my understanding correct?

Topic		Replies	Views
Detecting deletes Elasticsearch elastic-stack-security	4	1934	December 15, 2020
Tracking document updates and deletions with Audit Logging Elasticsearch	0	152	July 11, 2024
Logging DELETE query in logs Elasticsearch	1	507	May 24, 2021
Is there a log to record the change in the cluster? Elasticsearch	5	621	May 9, 2017
How to trace/log all delete action Elasticsearch	2	596	June 1, 2021

How to view docs.deleted data

Related topics