Opensearch configuration¶
About¶
This folder contains CloudFormation configurations for an AWS OpenSearch cluster and a set of Logstash servers behind a load balancer.
Deprecation Notice¶
This file contains historical configurations related to the deployment of the OpenSearch service on AWS. The logstash service (deployed by logstashstack) is no longer used by the OpenDev community and it has been replaced by the logsender tool.
The current AWS CloudFormation configuration includes:
opensearchstack- for OpenSearchecr-stack- storing admin credentials for OpenSearch in Secret Manager.
Note: The ecr-stack may be removed in the future, but doing so requires changing administrator credentials!
Usage¶
You’ll need appropriate AWS permissions (to create and monitor resources). Put AWS credentials in ~/.aws/credentials and run deploy_opensearch.sh.
After Creation Opensearch¶
The Opensearch service requires additional configuration like creating readonly user, create logstash user etc.
Create user¶
Users will be created in the Opensearch dashboards service. We create only few internal users:
logstash - that will be used by logstash or logsender service (deprecated; replaced by logsender)
readonly - readonly user that will be able to discover data, check visualization and dashboards
openstack - readonly user with easy to remember password
NOTE:
To skip password_validation_regex validation for user that should have easy to remember password, like openstack user,
it has been created via REST API. For example:
bcrypt=$(htpasswd -bnBC 10 "" password | tr -d ':\n')
curl -X PUT "https://<opensearch API url>/_plugins/_security/api/internalusers/openstack" \
-H 'Content-Type: application/json' \
-d' { "hash" : "$2a$12$ABDOLV5fJDfXlkyNVAqD0O4AcUyvCV.Pq8jqLaPdHbsj0yRZYniNa" } ' \
--user 'admin:myuserpassword'
Creating roles¶
Role will be added in the Opensearch dashboards service. Created roles:
Readonly role is creaded base on the inscruction Details:
name: readonly
cluster permissions: cluster_composite_ops_ro, cluster:monitor/main
index permissions:
index: *
index permissions: read
tenant permissions:
tenant: global_tenant
Logstash role (modify) - deprecated Details:
name: logstash
cluster permissions: cluster_monitor, cluster_composite_ops, indices:admin/template/get, indices:admin/template/put, cluster:admin/ingest/pipeline/put, cluster:admin:ingest/pipeline/get
index permissions:
index: logstash-*, performance-*, subunit-*, *beat*
index permissions: crud, create_index
tenant permissions:
tenant: global_tenant
NOTE:
The cluster:monitor/main role is required to use Python Opensearch client.
NOTE:
The index *beat* is optional.
Create role mapping¶
After creating the role, inside the role you will be able to attach the user that should use it.
Create ILM - Index Lifecycle Management¶
In the OpenSearch Dashboard select Index Management, State management policies, and then Create Policy. Make a policy with the following policy statement:
For logstash-logs-*
Delete data for logstash-logs index after 14 days
{
"policy": {
"description": "Delete all data after 14 days",
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [],
"transitions": [
{
"state_name": "delete",
"conditions": {
"min_index_age": "14d"
}
}
]
},
{
"name": "delete",
"actions": [
{
"delete": {}
}
],
"transitions": []
}
],
"ism_template": [
{
"index_patterns": [
"logstash-logs-*"
]
}
]
}
}
This will delete all indices that are at least 14 days old (e.g. the logstash-logs-2021.12.15 index will be deleted on 2021-12-22).
For performance-*
Policy ID: Delete data for performance index after 14 days
{
"policy": {
"description": "Delete performance data after 14 days",
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [],
"transitions": [
{
"state_name": "delete",
"conditions": {
"min_index_age": "14d"
}
}
]
},
{
"name": "delete",
"actions": [
{
"delete": {}
}
],
"transitions": []
}
],
"ism_template": [
{
"index_patterns": [
"performance-*"
]
}
]
}
}
For subunit-*
Policy ID: Delete data for subunit index after 14 days
{
"policy": {
"description": "Delete subunit data after 14 days",
"default_state": "hot",
"states": [
{
"name": "hot",
"actions": [],
"transitions": [
{
"state_name": "delete",
"conditions": {
"min_index_age": "14d"
}
}
]
},
{
"name": "delete",
"actions": [
{
"delete": {}
}
],
"transitions": []
}
],
"ism_template": [
{
"index_patterns": [
"subunit-*"
]
}
]
}
}
Advenced settings in Opensearch Dashboards¶
There is only few changes applied comparing to default settings. Differences in sections:
General
Timezone for date formatting
UTC
Default route:
/app/discover?security_tenant=global
Time filter quick ranges:
[
{
"from": "now/d",
"to": "now/d",
"display": "Today"
},
{
"from": "now/w",
"to": "now/w",
"display": "This week"
},
{
"from": "now-15m",
"to": "now",
"display": "Last 15 minutes"
},
{
"from": "now-30m",
"to": "now",
"display": "Last 30 minutes"
},
{
"from": "now-1h",
"to": "now",
"display": "Last 1 hour"
},
{
"from": "now-6h",
"to": "now",
"display": "Last 6 hour"
},
{
"from": "now-12h",
"to": "now",
"display": "Last 12 hour"
},
{
"from": "now-24h",
"to": "now",
"display": "Last 24 hours"
},
{
"from": "now-7d",
"to": "now",
"display": "Last 7 days"
}
]
