I am using Elasticsearch, Kibana and Watcher with Shield. I am trying to create a watch in order to notify me in the Elastic's log if it finds an ip. In the Watcher History (index), I observe that the watch works, however, there is nothing in the log:
Moreover, it works if I create a email action (before I configured Shield for email). I have to configure any else in Shield in the case of "logging action"?
there is no additional configuration for the logging action, when shield is enabled.
Which log did you check? You need to check the logfile of the master node. Did you do that? Have you changed your logging configuraiton and might be suppressing this message accidentally?
Also, I do not understand how you can use Elasticsearch 5.2.2 and Watcher 2.4 - does this mean you have a dedicated watcher cluster?
I didn't know that the message appears only in Master's log (it was my fault). Is there any way to log in all machines?. I asked this because in our actual configuration, I not have a concrete Master (I have several machines).
Regarding to my cluster, I made a mistake with the versions, actually I am using X-Pack (Elasticsearch, Kibana, Shield, Watcher).
there is no possibility to log this somewhere else. You can just use the index action and access that document across the cluster with a search as a workaround.
no there is not. The luckily enabled security manager in Elasticsearch forbids spawning new processes.
if you want to do something like that, send the data over to logstash using a webhook in watcher. You need the http input on the logstash side as well as the exec output.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.