I have a goal of creating audit-prof solution, where logs (indices) can not be modified nor deleted (like write-only).
The indices would have configurable TTL (like 365 days), and they would remove the date itself, but no user would be able to override, change, remove existing documents.
For the moment I've created daily snapshots to "write-only" s3 bucket:
It is close enough, but still - the last 24 hours (or the time since last snapshot), could be removed. In case of attack or some aware user action, someone have enough time to clean the ES cluster.
Would You recommend better solution for 'persistent-secure' log storage?
I may be missing some setting?