Briefly, this error occurs when Elasticsearch fails to index an audit event due to insufficient permissions. This could be due to incorrect user roles or privileges. To resolve this issue, you can check the user’s roles and permissions to ensure they have the necessary access to index audit events. Alternatively, you may need to review your Elasticsearch security settings or audit logging configurations. It’s also possible that the index is read-only, in which case you would need to change its settings to allow write operations.
This guide will help you check for common problems that cause the log ” failed to index audit event: [run_as_denied] ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, index.
Overview
In Elasticsearch, an index (plural: indices) contains a schema and can have one or more shards and replicas. An Elasticsearch index is divided into shards and each shard is an instance of a Lucene index.
Indices are used to store the documents in dedicated data structures corresponding to the data type of fields. For example, text fields are stored inside an inverted index whereas numeric and geo fields are stored inside BKD trees.
Examples
Create index
The following example is based on Elasticsearch version 5.x onwards. An index with two shards, each having one replica will be created with the name test_index1
PUT /test_index1?pretty
{
"settings" : {
"number_of_shards" : 2,
"number_of_replicas" : 1
},
"mappings" : {
"properties" : {
"tags" : { "type" : "keyword" },
"updated_at" : { "type" : "date" }
}
}
}List indices
All the index names and their basic information can be retrieved using the following command:
GET _cat/indices?v
Index a document
Let’s add a document in the index with the command below:
PUT test_index1/_doc/1
{
"tags": [
"opster",
"elasticsearch"
],
"date": "01-01-2020"
}Query an index
GET test_index1/_search
{
"query": {
"match_all": {}
}
}Query multiple indices
It is possible to search multiple indices with a single request. If it is a raw HTTP request, index names should be sent in comma-separated format, as shown in the example below, and in the case of a query via a programming language client such as python or Java, index names are to be sent in a list format.
GET test_index1,test_index2/_search
Delete indices
DELETE test_index1
Common problems
- It is good practice to define the settings and mapping of an Index wherever possible because if this is not done, Elasticsearch tries to automatically guess the data type of fields at the time of indexing. This automatic process may have disadvantages, such as mapping conflicts, duplicate data and incorrect data types being set in the index. If the fields are not known in advance, it’s better to use dynamic index templates.
- Elasticsearch supports wildcard patterns in Index names, which sometimes aids with querying multiple indices, but can also be very destructive too. For example, It is possible to delete all the indices in a single command using the following commands:
DELETE /*
To disable this, you can add the following lines in the elasticsearch.yml:
action.destructive_requires_name: true
Log Context
Log “failed to index audit event: [run_as_denied]” classname is IndexAuditTrail.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
final String lookRealmName = authentication.getLookedUpBy() == null ? null : authentication.getLookedUpBy().getName();
final String[] roleNames = (String[]) authorizationInfo.asMap().get(LoggingAuditTrail.PRINCIPAL_ROLES_FIELD_NAME);
enqueue(message("run_as_denied"; action; authentication.getUser(); roleNames; new Tuple(authRealmName; lookRealmName);
null; message); "run_as_denied");
} catch (final Exception e) {
logger.warn("failed to index audit event: [run_as_denied]"; e);
}
}
}
@Override
