4b6817381b
CI (OpenClaw E2E) / openclaw test (push) Has been cancelled
CI / coverage-report (push) Has been cancelled
CI / test-kubernetes (push) Has been cancelled
CI / should-run-thorough (push) Has been cancelled
CI / test-thorough (cloudwatch-demo) (push) Has been cancelled
CI / test-thorough (flink-ecs) (push) Has been cancelled
CI / test-thorough (upstream-lambda) (push) Has been cancelled
CI / test-thorough (prefect-ecs-fargate) (push) Has been cancelled
Release / build-binaries (zip, opensre.exe, onefile, windows-latest, windows-x64) (push) Has been cancelled
Benchmark image — build + push to ECR (any adapter) / build + push (push) Has been cancelled
CI / quality (ubuntu-latest) (push) Has been cancelled
CI / test (tools-runtime) (push) Has been cancelled
CI / test (e2e-general) (push) Has been cancelled
CI / test (cli-runtime) (push) Has been cancelled
CI / test (e2e-provider-and-openclaw) (push) Has been cancelled
CI / test (integrations-and-misc) (push) Has been cancelled
Release / verify (push) Has been cancelled
Release / build-python-dist (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-15-intel, darwin-x64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, macos-latest, darwin-arm64) (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04, linux-x64) (push) Has been cancelled
Release / publish-release (push) Has been cancelled
Release / publish-main-release (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-checks (no-LLM) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Interactive Shell Live (PR + post-merge) / turn-live shard ${{ matrix.shard_index }} (push) Has been cancelled
Release / prepare (push) Has been cancelled
Release / build-binaries (tar.gz, opensre, onedir, ubuntu-22.04-arm, linux-arm64) (push) Has been cancelled
Synthetic Deterministic Tests / Synthetic offline (deterministic) (push) Has been cancelled
144 lines
6.1 KiB
Plaintext
144 lines
6.1 KiB
Plaintext
---
|
|
title: "OpenSearch / Elasticsearch"
|
|
description: "Connect OpenSearch or Elasticsearch so OpenSRE can search application logs and analytics indices during investigations"
|
|
---
|
|
|
|
OpenSRE queries OpenSearch (or Elasticsearch) to retrieve application logs, error events, and analytics records — pulling concrete log lines into the investigation alongside metrics and traces from your other observability tools.
|
|
|
|
## Prerequisites
|
|
|
|
- OpenSearch 1.x/2.x or Elasticsearch 7.x/8.x reachable from the machine running OpenSRE
|
|
- The cluster URL (e.g. `https://my-cluster.us-east-1.es.amazonaws.com`)
|
|
- Credentials for one of:
|
|
- HTTP Basic Auth (username and password) — typical for self-hosted OpenSearch
|
|
- API key — typical for Elastic Cloud
|
|
- No auth — only when the cluster has the security plugin disabled
|
|
|
|
OpenSearch authenticates clients via Basic Auth by default; the security plugin does not natively issue API keys ([opensearch-project/security#4009](https://github.com/opensearch-project/security/issues/4009)). Most self-hosted clusters use Basic Auth.
|
|
|
|
## Setup
|
|
|
|
### Option 1: Interactive onboarding wizard
|
|
|
|
```bash
|
|
opensre onboard
|
|
```
|
|
|
|
Pick **OpenSearch / Elasticsearch** from the integration menu. The wizard asks for:
|
|
|
|
1. **OpenSearch URL** — the base URL of your cluster
|
|
2. **Authentication method** — choose one of:
|
|
- **Username + Password** (default) — for self-hosted OpenSearch with the security plugin enabled
|
|
- **API key** — for Elastic Cloud or clusters with API-key auth configured
|
|
- **None (security disabled)** — for clusters running with the security plugin disabled
|
|
|
|
The wizard validates the configuration by calling `GET /_cluster/health` before saving, so you'll see immediate feedback if the URL or credentials are wrong.
|
|
|
|
### Option 2: Legacy CLI
|
|
|
|
```bash
|
|
opensre integrations setup opensearch
|
|
```
|
|
|
|
Same prompts as the wizard, in a smaller standalone form.
|
|
|
|
### Option 3: Environment variables
|
|
|
|
Add to your `.env`:
|
|
|
|
```bash
|
|
OPENSEARCH_URL=https://my-cluster.example.com
|
|
|
|
# Basic Auth (typical for self-hosted OpenSearch)
|
|
OPENSEARCH_USERNAME=admin
|
|
OPENSEARCH_PASSWORD=secret
|
|
|
|
# API key (typical for Elastic Cloud — use instead of username/password)
|
|
OPENSEARCH_API_KEY=your-api-key
|
|
```
|
|
|
|
| Variable | Default | Description |
|
|
| --- | --- | --- |
|
|
| `OPENSEARCH_URL` | — | **Required.** Base URL of your OpenSearch / Elasticsearch cluster |
|
|
| `OPENSEARCH_USERNAME` | — | Basic auth username |
|
|
| `OPENSEARCH_PASSWORD` | — | Basic auth password |
|
|
| `OPENSEARCH_API_KEY` | — | API key (used in `Authorization: ApiKey ...` header) |
|
|
|
|
When both `OPENSEARCH_API_KEY` and Basic Auth credentials are set, the API key takes precedence. If only one of `OPENSEARCH_USERNAME` / `OPENSEARCH_PASSWORD` is set, no `Authorization` header is emitted (the cluster will reject the request, surfacing the misconfiguration).
|
|
|
|
### Option 4: Persistent store
|
|
|
|
```json
|
|
{
|
|
"version": 1,
|
|
"integrations": [
|
|
{
|
|
"id": "opensearch-prod",
|
|
"service": "opensearch",
|
|
"status": "active",
|
|
"credentials": {
|
|
"url": "https://my-cluster.example.com",
|
|
"username": "admin",
|
|
"password": "secret",
|
|
"api_key": "",
|
|
"index_pattern": "logs-*"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
## Verify
|
|
|
|
```bash
|
|
opensre integrations verify opensearch
|
|
```
|
|
|
|
Expected output on success:
|
|
|
|
```
|
|
Service: opensearch
|
|
Status: passed
|
|
Detail: Connected to OpenSearch cluster 'my-cluster' (green, 3 node(s)).
|
|
```
|
|
|
|
|
|
## How it works in investigations
|
|
|
|
When an OpenSearch integration is configured, OpenSRE automatically includes it as an evidence source during every investigation. Two tools become available to the investigation agent:
|
|
|
|
### `query_elasticsearch_logs`
|
|
|
|
Searches log indices for messages matching a Lucene/KQL query within a bounded time window. The agent uses this to:
|
|
|
|
- Pull error and exception messages around the alert timestamp
|
|
- Filter logs by service, container, or correlation ID extracted from alert annotations
|
|
- Surface stack traces and panic messages that explain a metric anomaly
|
|
- Cross-reference logs against alerts firing in Datadog, Grafana, or Alertmanager
|
|
|
|
The tool returns both the raw matching logs and a separate `error_logs` slice pre-filtered for keywords like `error`, `exception`, `traceback`, and `panic`, so the agent can prioritize signal over noise.
|
|
|
|
### `query_opensearch_analytics`
|
|
|
|
Runs bounded analytics queries against any index pattern (default `*`). The agent uses this for non-log data stored in OpenSearch — APM events, audit trails, business metrics, or any custom analytics index your team maintains.
|
|
|
|
Both tools share the same configured credentials, so configuring the integration once enables both query paths.
|
|
|
|
## Troubleshooting
|
|
|
|
| Symptom | Fix |
|
|
| --- | --- |
|
|
| **Status: missing** | Set `OPENSEARCH_URL` or run `opensre onboard` and pick OpenSearch |
|
|
| **Connection refused** | Verify the URL is reachable from this host; check firewall and VPC rules |
|
|
| **401 Unauthorized** | Verify credentials are correct. For self-hosted OpenSearch, use Basic Auth (`OPENSEARCH_USERNAME` + `OPENSEARCH_PASSWORD`), not API key — most installs do not have API keys enabled |
|
|
| **SSL certificate errors** | For self-signed certificates, ensure the CA cert is in the system trust store |
|
|
| **Empty results from a known-good query** | Confirm the index pattern matches your data; the default `*` matches every index but specific patterns like `logs-*` are faster and more reliable |
|
|
| **`security_exception: no permissions`** | The user needs at least `read` and `view_index_metadata` permissions on the queried indices |
|
|
|
|
## Security best practices
|
|
|
|
- Create a **read-only** OpenSearch user for OpenSRE — the agent only reads logs and analytics indices and never writes to the cluster during investigations.
|
|
- Limit the role to the indices OpenSRE needs (typically logs and APM indices), not cluster-wide.
|
|
- Store credentials in `.env` or the integration store, not in source code.
|
|
- For Elastic Cloud, generate a scoped API key and rotate it on a schedule rather than using the master deployment credentials.
|
|
- For self-hosted clusters behind a reverse proxy, prefer Basic Auth over disabling security entirely — even on internal networks. |