Hi, I am new to ElasticSearch and am trying to see if there is a way to see which user creates/deletes indexes. Currently I can see it in logs when an index is created or deleted, but can't see which user initiated these actions.
Security audit is currently enabled in my elasticsearch.yml
xpack.security.audit.enabled: true
Thanks in advance.
Welcome to our community! 
You do need audit logging enabled to track this.
Where can I enable this? I already have thexpack.security.audit.enabled flag set to true.
https://www.elastic.co/guide/en/elasticsearch/reference/current/enable-audit-logging.html goes into what needs to happen. So you need to make that change and then restart Elasticsearch.
Mark, thank you for your response. I have already followed those steps.
Currently in my logs, I see the output as [2020-06-24T10:00:00][INFO ][o.e.c.m.MetaDataDeleteIndexService] [cluster_name] [index_name] deleting index
However, I am trying to see how to add the name of the user that deleted the index to this output as well. My ES version is 6.7.1. Thank you.
What license level are you on?
Platinum
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.