[Feature Request] Security plugin audit sink fails when using write alias as index target #5688
Description
Is your feature request related to a problem? Please describe
When plugins.security.audit.config.index is configured with a write alias (that points to a backing index with is_write_index=true),
the security plugin tries to create an index using the alias name, resulting in:
Invalid index name [<alias-name>], already exists as alias
Even though the alias correctly points to a write index, audit logs are not written.
[2025-10-04T14:44:05,597][ERROR][o.o.s.a.s.InternalOpenSearchSink] [opensearch-cluster-master-0] Unable to index audit log {"audit_cluster_name":"opensearch-cluster","audit_transport_headers":{"X-Opaque-Id":"c65bd5b8-c73a-4040-ab21-1f2108f0ee71"},"audit_node_name":"opensearch-cluster-master-0","audit_trace_task_id":"o-K2Zoi3R4OTMc1bIVmWkw:9841","audit_transport_request_type":"GetAliasesRequest","audit_category":"INDEX_EVENT","audit_request_origin":"REST","audit_node_id":"o-K2Zoi3R4OTMc1bIVmWkw","audit_request_layer":"TRANSPORT","@timestamp":"2025-10-04T14:44:05.597+00:00","audit_format_version":4,"audit_request_remote_address":"10.244.2.155","audit_request_privilege":"indices:admin/aliases/get","audit_node_host_address":"10.244.1.12","audit_request_effective_user":"admin","audit_trace_resolved_indices":["opensearch-auditlogs-000001","top_queries-2025.10.04-55782",".plugins-ml-config",".kibana",".opendistro_security",".ql-datasources",".opendistro-job-scheduler-lock"],"audit_node_host_name":"10.244.1.12"} due to
org.opensearch.indices.InvalidIndexNameException: Invalid index name [opensearch-auditlogs-write], already exists as alias
at org.opensearch.cluster.metadata.MetadataCreateIndexService.validateIndexName(MetadataCreateIndexService.java:271) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.metadata.MetadataCreateIndexService.validate(MetadataCreateIndexService.java:1471) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.metadata.MetadataCreateIndexService.applyCreateIndexRequest(MetadataCreateIndexService.java:433) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.metadata.MetadataCreateIndexService.applyCreateIndexRequest(MetadataCreateIndexService.java:494) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.metadata.MetadataCreateIndexService$1.execute(MetadataCreateIndexService.java:394) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.ClusterStateUpdateTask.execute(ClusterStateUpdateTask.java:67) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.ClusterManagerService.executeTasks(ClusterManagerService.java:890) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.ClusterManagerService.calculateTaskOutputs(ClusterManagerService.java:441) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.ClusterManagerService.runTasks(ClusterManagerService.java:301) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.ClusterManagerService$Batcher.run(ClusterManagerService.java:214) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:206) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:264) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:916) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:299) ~[opensearch-3.2.0.jar:3.2.0]
at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:262) ~[opensearch-3.2.0.jar:3.2.0]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1095) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:619) [?:?]
at java.base/java.lang.Thread.run(Thread.java:1447) [?:?]
[2025-10-04T14:44:05,598][INFO ][o.o.s.a.s.DebugSink ] [opensearch-cluster-master-0] AUDIT_LOG: {
"audit_cluster_name" : "opensearch-cluster",
"audit_transport_headers" : {
"X-Opaque-Id" : "c65bd5b8-c73a-4040-ab21-1f2108f0ee71"
},
"audit_node_name" : "opensearch-cluster-master-0",
"audit_trace_task_id" : "o-K2Zoi3R4OTMc1bIVmWkw:9841",
"audit_transport_request_type" : "GetAliasesRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_node_id" : "o-K2Zoi3R4OTMc1bIVmWkw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2025-10-04T14:44:05.597+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "10.244.2.155",
"audit_request_privilege" : "indices:admin/aliases/get",
"audit_node_host_address" : "10.244.1.12",
"audit_request_effective_user" : "admin",
"audit_trace_resolved_indices" : [
"opensearch-auditlogs-000001",
"top_queries-2025.10.04-55782",
".plugins-ml-config",
".kibana",
".opendistro_security",
".ql-datasources",
".opendistro-job-scheduler-lock"
],
"audit_node_host_name" : "10.244.1.12"
}
Describe the solution you'd like
The plugin should resolve the alias and write documents into the backing index (like a regular client).
Related component
Indexing
Describe alternatives you've considered
No response
Additional context
- Create a write alias:
POST /_aliases
{
"actions": [
{ "add": { "alias": "opensearch-auditlogs-write", "index": "opensearch-auditlogs-000001", "is_write_index": true } }
]
}
- Configure:
plugins.security.audit:
type: internal_opensearch
config:
index: opensearch-auditlogs-write
- Start cluster and trigger any audit event.
- Observe error:
Invalid index name [opensearch-auditlogs-write], already exists as alias
Environment
- OpenSearch 3.2.0