Domain Operations
Once logged into the Centralized Logging with OpenSearch console, you can import an Amazon OpenSearch Service domain.
Prerequisites
-
Centralized Logging with OpenSearch supports Amazon OpenSearch Service, and engine version OpenSearch 1.3 or later.
-
Centralized Logging with OpenSearch supports OpenSearch clusters within VPC. If you don't have an Amazon OpenSearch Service domain yet, you can create an Amazon OpenSearch Service domain within VPC. See Launching your Amazon OpenSearch Service domains within a VPC.
-
Centralized Logging with OpenSearch supports OpenSearch clusters with fine-grained access control only. In the security configuration, the Access policy should look like the following image:
Import an Amazon OpenSearch Service Domain
-
Sign in to the Centralized Logging with OpenSearch console.
-
In the left navigation panel, under Domains, choose Import OpenSearch Domain.
-
On the Select domain page, choose a domain from the dropdown list. The dropdown list will display only domains in the same Region as the solution.
-
Choose Next.
-
On the Configure network page, under Network creation, choose Manual and choose Next; or choose Automatic, and go to step 9.
-
Under VPC, choose a VPC from the list. By default, the solution creates a standalone VPC, and you can choose the one named
LogHubVpc/DefaultVPC
. You can also choose the same VPC as your Amazon OpenSearch Service domains. -
Under Log Processing Subnet Group, select at least 2 subnets from the dropdown list. By default, the solution creates two private subnets. You can choose subnets named
LogHubVpc/DefaultVPC/privateSubnet1
andLogHubVpc/DefaultVPC/privateSubnet2
. -
Under Log Processing Security Group, select one from the dropdown list. By default, the solution creates one Security Group named
ProcessSecurityGroup
. -
On the Create tags page, add tags if needed.
-
Choose Import.
Set up VPC Peering
By default, the solution creates a standalone VPC. You must create VPC Peering to allow the log processing layer to have access to your Amazon OpenSearch Service domains.
Note
Automatic mode will create VPC peering and configure route table automatically. You do not need to set up VPC peering again.
Follow this section to create VPC peering, update your security group, and update route tables.
Create VPC Peering Connection
-
Sign in to the Centralized Logging with OpenSearch console.
-
In the left navigation panel, under Domains, select OpenSearch Domains.
-
Find the domain that you imported and select the domain name.
-
Choose the Network tab.
-
Copy the VPC ID in both sections OpenSearch domain network and Log processing network. You will create a Peering Connection between these two VPCs.
-
Navigate to VPC Console Peering Connections
. -
Select the Create peering connection button.
-
On the Create peering connection page, enter a name.
-
For the Select a local VPC to peer with, VPC ID (Requester), select the VPC ID of the Log processing network.
-
For the Select another VPC to peer with, VPC ID (Accepter), select the VPC ID of the OpenSearch domain network.
-
Choose Create peering connection, and navigate to the peering connection detail page.
-
Choose the Actions button and choose Accept request.
Update Route Tables
-
Go to the Centralized Logging with OpenSearch console.
-
In the OpenSearch domain network section, choose the subnet under Availability Zone and Subnets to open the subnet console in a new tab.
-
Select the subnet, and choose the Route table tab.
-
Select the associated route table of the subnet to open the route table configuration page.
-
Select the Routes tab, and choose Edit routes.
-
Add a route 10.255.0.0/16 (the CIDR of Centralized Logging with OpenSearch, if you created the solution with existing VPC, change this value) pointing to the Peering Connection you created.
-
Go back to the Centralized Logging with OpenSearch console.
-
Choose the VPC ID under the OpenSearch domain network section.
-
Select the VPC ID on the VPC Console and find its IPv4 CIDR.
-
On the Centralized Logging with OpenSearch console, in the Log processing network section, choose the subnets under Availability Zone and Subnets to open the subnets in new tabs.
-
Repeat step 3, 4, 5, 6 to add an opposite route. Namely, configure the IPv4 CIDR of the OpenSearch VPC to point to the Peering Connection. You must repeat the steps for each subnet of the Log processing network.
Update Security Group of OpenSearch Domain
-
On the Centralized Logging with OpenSearch console, under the OpenSearch domain network section, select the Security Group ID in Security Groups to open the Security Group in a new tab.
-
On the console, select Edit inbound rules.
-
Add the rule
ALLOW TCP/443 from 10.255.0.0/16
(the CIDR of Centralized Logging with OpenSearch, if you created Centralized Logging with OpenSearch with existing VPC, change this value). -
Choose Save rules.
Remove an Amazon OpenSearch Service domain
If needed, you can remove the Amazon OpenSearch Service domains.
Important
Removing the domain from Centralized Logging with OpenSearch will NOT delete the Amazon OpenSearch Service domain in your AWS account. It will NOT impact any existing log analytics pipelines.
-
Sign in to the Centralized Logging with OpenSearch console.
-
In the navigation pane, under Domains, choose OpenSearch Domains.
-
Select the domain from the table.
-
Choose Remove.
-
In the confirmation dialog box, choose Remove.