I have an old Elasticsearch cluster that shouldn't be getting traffic but somehow it still is. I have hundreds of services that could potentially be hitting it. I'm looking for a way to maybe capture the request origin so I can see where the requests are coming from. I tried enabling the REST request tracer but that didn't seem to do anything (https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html).
Any thoughts?
If you have authentication enabled (or are ok to enable it and let requests fail then), I would enable audit logging. This will log auditing events including an origin.address, which should show you where those are coming from.
Example (request on localhost):
{
"type": "audit",
"timestamp": "2020-07-29T20:11:08,529+0200",
"node.id": "sDCzapQcSgCTgaOnebA07w",
"event.type": "rest",
"event.action": "anonymous_access_denied",
"origin.type": "rest",
"origin.address": "127.0.0.1:58611",
"url.path": "/",
"request.method": "HEAD",
"request.id": "4s_UWL35TfiI0nGZvNeomA"
}
Though on Elastic Cloud you will have to contact support to provide you those logs.
