I have been using Search Guard Compliance Plugin (Beta For ElasticSearch 6.2.2) and I have a trouble with blacklisting indices using provided configuration syntax for this module.
What I would like to achieve is to monitor all indices except ones that have “dot” at the beginning (e.g. .monitoring-). There is a possibility to use wildcards for “searchguard.compliance.history.read.watched_fields” option so I can set it to - ".", but I do not know how to set it to prevent search guard from adding information about .monitroing- indices.
Maybe I can use “searchguard.audit.ignore_requests” for this purpose?
This should watch all fields for all indicies for which the indices start not with a dot. You can use regex for index and fields.
But normally we recommend to list each index and the respective fields separately because watching many indices and many fields would slow down elasticsearch.
···
Am 18.04.2018 um 13:44 schrieb Dan S <salbert.dan@gmail.com>:
Hi,
I have been using Search Guard Compliance Plugin (Beta For ElasticSearch 6.2.2) and I have a trouble with blacklisting indices using provided configuration syntax for this module.
What I would like to achieve is to monitor all indices except ones that have "dot" at the beginning (e.g. .monitoring-*). There is a possibility to use wildcards for "searchguard.compliance.history.read.watched_fields" option so I can set it to - "*.*", but I do not know how to set it to prevent search guard from adding information about .monitroing-* indices.
Maybe I can use "searchguard.audit.ignore_requests" for this purpose?