Resources
4 min read
OpenSearch Alerting enables you to manage and respond to critical events and anomalies quickly in your OpenSearch environment, making it crucial for maintaining the health and performance of your system. With OpenSearch alerting you can enhance security by monitoring for suspicious activities or security breaches in real-time. This helps improve the security posture of your organization's data infrastructure. As well as this, due to OpenSearch’s distributed architecture alerts can scale to manage large volumes of data and diverse use cases, guaranteeing that your monitoring activities remain effective as data volumes grow.
OpenSearch alerts empower your organization to track its data effectively, highlight issues promptly, and take proactive measures to guarantee the reliability, security, and performance of its data infrastructure. However, setting up and configuring OpenSearch alerting is not the simplest of tasks. Therefore, to assist you with this, in this article we will outline what OpenSearch alerts are and explain how you can configure OpenSearch alerting.
Contents
What is OpenSearch Alerting?
OpenSearch Alerting is a feature offered by OpenSearch, an open-source distributed search and analytics engine. It enables users to configure and manage alerts based on certain criteria or thresholds outlined on the data indexed in their OpenSearch clusters. With OpenSearch Alerting, users can build alerts to track their data in real-time or based on scheduled intervals. These alerts can be set up to trigger actions such as sending notifications via email, integrating with third-party systems using webhooks, or executing custom scripts.
OpenSearch Alerting: Key Terms
Before delving into OpenSearch alerting, it’s important to understand some key terms as they will be regularly referenced throughout this article.
| Term | Defintion |
|---|---|
| Monitor | A scheduled task that executes queries on designated OpenSearch indexes. The outcomes of these queries serve as input for one or multiple triggers. |
| Trigger | If conditions are met, generates alerts. |
| Alert | An occurrence linked to a trigger. Upon creating an alert, the trigger initiates actions, such as sending notifications. |
| Action | A specific task that is conducted once an alert is triggered. |
| Notification | A message that is sent to users when an alert is triggered. |
Configuring Alerts in OpenSearch
To begin utilizing OpenSearch’s powerful alerting feature it needs to be configured first. This guide will walk you through each step of the process and ensure that you can begin benefitting from the feature. It's important to ensure you have OpenSearch installed and properly configured in your environment.
1. Install and Configure OpenSearch Alerting Plugin
OpenSearch Alerting is provided as a plugin. You will need to install and configure the Alerting plugin to allow alerting capabilities in OpenSearch. You can install the plugin using the OpenSearch plugin manager.
2. Define Alerting Conditions
Begin by determining the metrics, events, or conditions that you want to track. These could include system metrics, application logs, or any other relevant data in your OpenSearch indexes. After this, you will need to establish the thresholds or conditions that will trigger alerts. For example, you might want to be alerted when CPU usage exceeds a certain percentage or when the number of error logs crosses a predefined threshold.
3. Create Watcher Configuration
In OpenSearch, alerts are created using a feature called Watcher. Now, you will need to define a Watcher configuration, which includes the conditions that will trigger the alert and the actions to be taken when the alert is triggered. Then, you’ll need to specify the actions to be performed when the alert condition is met. These actions can include sending email notifications, invoking webhooks, or executing custom scripts.
4. Test the Alerting Configuration
Before deploying your alerting configuration into production, you must test it thoroughly. Simulate different scenarios to guarantee that alerts are triggered accurately and that the configured actions behave as expected.
5. Deploy and Monitor Alerts
If you’re now content with the alerting configuration, deploy it into your production environment. You should continuously monitor the alerts to ensure that they are operating as expected and adjust the configuration as needed based on feedback and evolving requirements.
6. Maintain and Finetune
Now that your alerting configuration is deployed, regularly review and finetune your configuration based on changing data patterns, system performance, and feedback from alerting activities. This iterative process guarantees that your alerts remain effective and relevant over time.
Hosted OpenSearch for Alerting
Utilizing a Hosted OpenSearch solution like Logit.io can alleviate the time-consuming and challenging task of configuring and setting up the tool and have you creating production ready OpenSearch Stacks within minutes. With Logit.io's Hosted OpenSearch you can benefit from the added value provided from using a single platform for data centralisation. As well as this, our solution includes integrated event monitoring and alerting features, empowering you to oversee all data within your cluster and dispatch notifications to a designated endpoint as needed. If you're interested in finding out more about Logit.io's Hosted OpenSearch solution then don't hesitate to arrange a free demo or explore the solution for yourself with a 14-day free trial.
Configuring OpenSearch Alerts in Logit.io
In this section, we will take you through the steps to access alerting after selecting Launch Logs from the Logit.io dashboard to create a server high CPU alert. The full configuration guide for this can be viewed here.
- Launch OpenSearch Alerting: After clicking ‘Launch Logs’ from the Logit.io platform, choose ‘Alerting’ from the left menu and navigate to the ‘Monitors’ tab, select ‘Create Monitor’.
- Create Monitor: Here you can give your monitor an appropriate name, and choose ‘Per Query Monitor’ under ‘Monitor Type’ to create a monitor that monitors individual search queries. Also, you need to Choose "Visual Editor" as the defining method and Set the ‘Schedule Frequency’ to ‘Run Every’ to specify how frequently you want the monitor to run. In this example, every 5 minutes.
- Define Query: Next, in the visual editor, you will find a query builder interface. Setup your query by choosing the index, timefield which is normally @timestamp, and defining search conditions. Now, alter the query in the query editor, set the ‘Time range for the last’ to 1 minute and the ‘Data filter’ to system.cpu.user.norm.pct is greater than 0.85. Choose ‘Preview query and performance’ to view the number of hits this would match in your data.
- Outline Trigger Conditions: You will now need to set trigger conditions, choose ‘Add Trigger’ to begin creating alert conditions. Now, specify the level of severity for each trigger condition. Then set the trigger conditions depending on your query results.
- Define Actions: You can define actions to take specific actions when an alert is triggered, such as sending notifications or executing custom scripts. Select ‘Manage Channels’ to open a new window where you can add your Slack channel details. Also, you can leave the message as the default and select ‘Send test message’ to check that the alert arrives in your Slack channel.
- Save and Activate: If you're satisfied with the monitor configuration, choose ‘Create’ to save the new Monitor. After saving, you can activate the monitor to start monitoring your data based on the defined query and trigger conditions.
If you've enjoyed this article why not read The Top 10 OpenSearch plugins or The Best OpenSearch dashboard examples next?