Getting started - Centralized Logging with OpenSearch
Step 1: Import an Amazon OpenSearch Service domainStep 2: Create Access ProxyStep 3: Ingest AWS CloudTrail LogsStep 4: Access the dashboard

Getting started

After deploying the solution, refer to this section to quickly learn how to use Centralized Logging with OpenSearch for log ingestion (AWS CloudTrail logs as an example), and log visualization.

You can also choose to start with Domain management, then build AWS Service Log Analytics Pipelines and Application Log Analytics Pipelines.

Steps

Step 1: Import an Amazon OpenSearch Service domain

To use the Centralized Logging with OpenSearch solution for the first time, you must import Amazon OpenSearch Service domains first.

Centralized Logging with OpenSearch supports Amazon OpenSearch Service domain with fine-grained access control enabled within a VPC only.

Important

Currently, Centralized Logging with OpenSearch supports Amazon OpenSearch Service with OpenSearch 1.3 or later.

Prerequisites

At least one Amazon OpenSearch Service domain within VPC. If you don't have an Amazon OpenSearch Service domain yet, you can create an Amazon OpenSearch Service domain within VPC. See Launching your Amazon OpenSearch Service domains within a VPC.

Steps

Use the following procedure to import an Amazon OpenSearch Service domain through the Centralized Logging with OpenSearch console.

  1. Sign in to the Centralized Logging with OpenSearch console (see instructions for accessing the console using Amazon Cognito user pool or OIDC).

  2. In the navigation pane, under Domains, choose Import OpenSearch Domain.

  3. On the Step 1. Select domain page, choose a domain from the dropdown list.

  4. Choose Next.

  5. On the Step 2. Configure network page, under Network creation, choose Automatic. If your Centralized Logging with OpenSearch and OpenSearch domains reside in two different VPCs, the Automatic mode will create a VPC Peering Connection between them, and update route tables. See details in Set up VPC Peering.

  6. On the Step 3. Create tags page, choose Import.

Step 2: Create Access Proxy

Note

Access proxy is optional and it incurs additional cost. If you can connect to Amazon OpenSearch Service's VPC (such as through a VPN connection), you don't need to activate an access proxy. You must use it only if you want to connect to the Amazon OpenSearch Service dashboard from the public internet.

You can create a NGINX proxy and create a DNS record pointing to the proxy, so that you can access the Amazon OpenSearch Service dashboard securely from a public network. For more information, refer to Access Proxy.

Create a NGINX proxy

  1. Sign in to the Centralized Logging with OpenSearch console (see instructions for accessing the console using Amazon Cognito user pool or OIDC).

  2. In the navigation pane, under Domains, choose OpenSearch domains.

  3. Select the domain from the table.

  4. Under General configuration, choose Enable at the Access Proxy label.

  5. On the Create access proxy page, under Public access proxy, select at least 2 subnets that contain CLVpc/DefaultVPC/publicSubnetX for the Public Subnets.

  6. For Public Security Group, choose the Security Group that contains ProxySecurityGroup.

  7. Choose the NGINX Instance Key Name.

  8. Enter the Domain Name.

  9. Choose the associated Load Balancer SSL Certificate that applies to the domain name.

    NGINX Instance key name. Specify the EC2 key name of the NGINX proxy.

  10. Choose Create.

After provisioning the proxy infrastructure, you must create an associated DNS record in your DNS resolver. The following introduces how to find the Application Load Balancer domain, and then create a CNAME record pointing to this domain.

Create a DNS record

  1. Sign in to the Centralized Logging with OpenSearch console (see instructions for accessing the console using Amazon Cognito user pool or OIDC).

  2. In the navigation pane, under Domains, choose OpenSearch domains.

  3. Select the domain from the table.

  4. Choose the Access Proxy tab. Find Load Balancer Domain, which is the Application Load Balancer domain.

  5. Go to the DNS resolver, and create a CNAME record pointing to this domain. If your domain is managed by Amazon RouteĀ 53, refer to Creating records by using the Amazon RouteĀ 53 console.

Step 3: Ingest AWS CloudTrail Logs

You can build a log analytics pipeline to ingest AWS CloudTrail logs.

Important

Make sure your CloudTrail and Centralized Logging with OpenSearch are in the same AWS Region.

  1. Sign in to the Centralized Logging with OpenSearch Console (see instructions for accessing the console using Amazon Cognito user pool or OIDC).

  2. In the navigation pane, select AWS Service Log Analytics Pipelines.

  3. Choose Create a log ingestion.

  4. In the AWS Services section, choose AWS CloudTrail.

  5. Choose Next.

  6. Under Specify settings, for Trail, select one from the dropdown list.

  7. Choose Next.

  8. In the Specify OpenSearch domain section, select the imported domain for the Amazon OpenSearch Service domain.

  9. Choose Yes for Sample dashboard.

  10. Keep default values and choose Next.

  11. Choose Create.

Step 4: Access the dashboard

After the DNS record takes effect, you can access the built-in dashboard from anywhere via proxy.

  1. Enter the domain of the proxy in your browser. Alternatively, click the Link button under Access Proxy in the General Configuration section of the domain.

  2. Enter your credentials to log in to the Amazon OpenSearch Service Dashboard.

  3. Click the username icon of the Amazon OpenSearch Service dashboard from the top right corner.

  4. Choose Switch Tenants.

  5. On the Select your tenant page, choose Global, and click Confirm.

  6. On the left navigation panel, choose Dashboards.

  7. Choose the dashboard created automatically and start to explore your data.