Hi @gcusello , Thank you for your valuable response regarding this issue. The problem is that the index where the app logs are being ingested is shared or a single one for the entire platform. This means we cannot make that index read-only (RO) for a specific role only. Even if we create a different role and give it RO access to that index, the logs will still be visible to other users. Is there any other solution to this problem, or is the only solution to ingest those app logs into a different index and then apply restrictions to that specific index? Your insights and suggestions would be greatly appreciated. Logs format: index=app_platform cf_app_id: cf_app_name: names for different apps cf_org_id: cf_org_name: cf_space_id: cf_space_name: deployment: event_type: ip: job: job_index: message_type: msg: [2023-09-26 05:54:26 +0000] [185] [DEBUG] Closing connection. origin: source_instance: 0 source_type: APP/PROC/WEB timestamp: 1695707666892324540 }
... View more