I have an old Elasticsearch cluster that shouldn't be getting traffic but somehow it still is. I have hundreds of services that could potentially be hitting it. I'm looking for a way to maybe capture the request origin so I can see where the requests are coming from. I tried enabling the REST request tracer but that didn't seem to do anything (https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html).
Any thoughts?
If you have authentication enabled (or are ok to enable it and let requests fail then), I would enable audit logging. This will log auditing events including an
origin.address
, which should show you where those are coming from.Example (request on localhost):
Though on Elastic Cloud you will have to contact support to provide you those logs.