Files
wehub-resource-sync 4b6817381b
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:10:45 +08:00

144 lines
6.1 KiB
Plaintext

---
title: "OpenSearch / Elasticsearch"
description: "Connect OpenSearch or Elasticsearch so OpenSRE can search application logs and analytics indices during investigations"
---
OpenSRE queries OpenSearch (or Elasticsearch) to retrieve application logs, error events, and analytics records — pulling concrete log lines into the investigation alongside metrics and traces from your other observability tools.
## Prerequisites
- OpenSearch 1.x/2.x or Elasticsearch 7.x/8.x reachable from the machine running OpenSRE
- The cluster URL (e.g. `https://my-cluster.us-east-1.es.amazonaws.com`)
- Credentials for one of:
- HTTP Basic Auth (username and password) — typical for self-hosted OpenSearch
- API key — typical for Elastic Cloud
- No auth — only when the cluster has the security plugin disabled
OpenSearch authenticates clients via Basic Auth by default; the security plugin does not natively issue API keys ([opensearch-project/security#4009](https://github.com/opensearch-project/security/issues/4009)). Most self-hosted clusters use Basic Auth.
## Setup
### Option 1: Interactive onboarding wizard
```bash
opensre onboard
```
Pick **OpenSearch / Elasticsearch** from the integration menu. The wizard asks for:
1. **OpenSearch URL** — the base URL of your cluster
2. **Authentication method** — choose one of:
- **Username + Password** (default) — for self-hosted OpenSearch with the security plugin enabled
- **API key** — for Elastic Cloud or clusters with API-key auth configured
- **None (security disabled)** — for clusters running with the security plugin disabled
The wizard validates the configuration by calling `GET /_cluster/health` before saving, so you'll see immediate feedback if the URL or credentials are wrong.
### Option 2: Legacy CLI
```bash
opensre integrations setup opensearch
```
Same prompts as the wizard, in a smaller standalone form.
### Option 3: Environment variables
Add to your `.env`:
```bash
OPENSEARCH_URL=https://my-cluster.example.com
# Basic Auth (typical for self-hosted OpenSearch)
OPENSEARCH_USERNAME=admin
OPENSEARCH_PASSWORD=secret
# API key (typical for Elastic Cloud — use instead of username/password)
OPENSEARCH_API_KEY=your-api-key
```
| Variable | Default | Description |
| --- | --- | --- |
| `OPENSEARCH_URL` | — | **Required.** Base URL of your OpenSearch / Elasticsearch cluster |
| `OPENSEARCH_USERNAME` | — | Basic auth username |
| `OPENSEARCH_PASSWORD` | — | Basic auth password |
| `OPENSEARCH_API_KEY` | — | API key (used in `Authorization: ApiKey ...` header) |
When both `OPENSEARCH_API_KEY` and Basic Auth credentials are set, the API key takes precedence. If only one of `OPENSEARCH_USERNAME` / `OPENSEARCH_PASSWORD` is set, no `Authorization` header is emitted (the cluster will reject the request, surfacing the misconfiguration).
### Option 4: Persistent store
```json
{
"version": 1,
"integrations": [
{
"id": "opensearch-prod",
"service": "opensearch",
"status": "active",
"credentials": {
"url": "https://my-cluster.example.com",
"username": "admin",
"password": "secret",
"api_key": "",
"index_pattern": "logs-*"
}
}
]
}
```
## Verify
```bash
opensre integrations verify opensearch
```
Expected output on success:
```
Service: opensearch
Status: passed
Detail: Connected to OpenSearch cluster 'my-cluster' (green, 3 node(s)).
```
## How it works in investigations
When an OpenSearch integration is configured, OpenSRE automatically includes it as an evidence source during every investigation. Two tools become available to the investigation agent:
### `query_elasticsearch_logs`
Searches log indices for messages matching a Lucene/KQL query within a bounded time window. The agent uses this to:
- Pull error and exception messages around the alert timestamp
- Filter logs by service, container, or correlation ID extracted from alert annotations
- Surface stack traces and panic messages that explain a metric anomaly
- Cross-reference logs against alerts firing in Datadog, Grafana, or Alertmanager
The tool returns both the raw matching logs and a separate `error_logs` slice pre-filtered for keywords like `error`, `exception`, `traceback`, and `panic`, so the agent can prioritize signal over noise.
### `query_opensearch_analytics`
Runs bounded analytics queries against any index pattern (default `*`). The agent uses this for non-log data stored in OpenSearch — APM events, audit trails, business metrics, or any custom analytics index your team maintains.
Both tools share the same configured credentials, so configuring the integration once enables both query paths.
## Troubleshooting
| Symptom | Fix |
| --- | --- |
| **Status: missing** | Set `OPENSEARCH_URL` or run `opensre onboard` and pick OpenSearch |
| **Connection refused** | Verify the URL is reachable from this host; check firewall and VPC rules |
| **401 Unauthorized** | Verify credentials are correct. For self-hosted OpenSearch, use Basic Auth (`OPENSEARCH_USERNAME` + `OPENSEARCH_PASSWORD`), not API key — most installs do not have API keys enabled |
| **SSL certificate errors** | For self-signed certificates, ensure the CA cert is in the system trust store |
| **Empty results from a known-good query** | Confirm the index pattern matches your data; the default `*` matches every index but specific patterns like `logs-*` are faster and more reliable |
| **`security_exception: no permissions`** | The user needs at least `read` and `view_index_metadata` permissions on the queried indices |
## Security best practices
- Create a **read-only** OpenSearch user for OpenSRE — the agent only reads logs and analytics indices and never writes to the cluster during investigations.
- Limit the role to the indices OpenSRE needs (typically logs and APM indices), not cluster-wide.
- Store credentials in `.env` or the integration store, not in source code.
- For Elastic Cloud, generate a scoped API key and rotate it on a schedule rather than using the master deployment credentials.
- For self-hosted clusters behind a reverse proxy, prefer Basic Auth over disabling security entirely — even on internal networks.