I have a goal of creating audit-prof solution, where logs (indices) can not be modified nor deleted (like write-only).
The indices would have configurable TTL (like 365 days), and they would remove the date itself, but no user would be able to override, change, remove existing documents.
For the moment I've created daily snapshots to "write-only" s3 bucket:
It is close enough, but still - the last 24 hours (or the time since last snapshot), could be removed. In case of attack or some aware user action, someone have enough time to clean the ES cluster.
Would You recommend better solution for 'persistent-secure' log storage?
I may be missing some setting?
Possible solution?: Ban the: XDELETE, URI: */_update,
But what about 'whole document update' where _version number changes?
Any way to disable 'in-place' document update'?
In Shield, you have different privileges, namely the create one which only gives the ability to create documents, but neither to update them nor to delete them. That's probably what you're looking for
Actually I've been thinking wrt 'document in-place update' - since we can look for the documents with _version > 1 (that would indicate that they were modified), and additionally we can set the 'previous version gc delete' to a day
index.gc_deletes = 82800
we should be able to store the previous versions of documents, and/or at least, with a simple query, have a knowledge of the data modification (that is important too).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.