Comprehensive OpenSearch Configuration Guide for Production

Table of Contents#

Introduction#

OpenSearch is a community-driven, open-source search and analytics suite derived from Elasticsearch 7.10.2. This guide provides comprehensive configuration recommendations for deploying OpenSearch in production environments, focusing on performance, security, and reliability.

Essential opensearch.yml Configuration#

Here’s a production-ready opensearch.yml configuration with detailed explanations:

1
# ======================== OpenSearch Configuration =========================
2
#
3
# NOTE: OpenSearch comes with reasonable defaults for most settings.
4
#       Before you set out to tweak and tune the configuration, make sure you
5
#       understand what are you trying to accomplish and the consequences.
6
#
7
# The primary way of configuring a node is via this file. This template lists
8
# the most important settings you may want to configure for a production cluster.
9
#
10
# Please consult the documentation for further information on configuration options:
11
# https://opensearch.org/docs/latest/
12
#
13
# ---------------------------------- Cluster -----------------------------------
14
#
15
# Use a descriptive name for your cluster:
16
#
17
cluster.name: wazuh-cluster
18
#
19
# ------------------------------------ Node ------------------------------------
20
#
21
# Use a descriptive name for the node:
22
#
23
node.name: node-1
24
#
25
# Add custom attributes to the node:
26
#
27
#node.attr.rack: r1
28
#
29
node.max_local_storage_nodes: "3"
30
#
31
# ----------------------------------- Paths ------------------------------------
32
#
33
# Path to directory where to store the data (separate multiple locations by comma):
34
#
35
path.data: /var/lib/opensearch
36
#
37
# Path to log files:
38
#
39
path.logs: /var/log/opensearch
40
#
41
# ----------------------------------- Memory -----------------------------------
42
#
43
# Lock the memory on startup:
44
#
45
#bootstrap.memory_lock: true
46
#
47
# Make sure that the heap size is set to about half the memory available
48
# on the system and that the owner of the process is allowed to use this
49
# limit.
50
#
51
# OpenSearch performs poorly when the system is swapping the memory.
52
#
53
# ---------------------------------- Network -----------------------------------
54
#
55
# Set the bind address to a specific IP (IPv4 or IPv6):
56
#
57
network.host: "0.0.0.0"
58
#
59
# Set a custom port for HTTP:
60
#
61
http.port: 9200
62
#
63
# For more information, consult the network module documentation.
64
#
65
# --------------------------------- Discovery ----------------------------------
66
#
67
# Pass an initial list of hosts to perform discovery when this node is started:
68
# The default list of hosts is ["127.0.0.1", "[::1]"]
69
#
70
#discovery.seed_hosts: ["host1", "host2"]
71
#
72
# Bootstrap the cluster using an initial set of master-eligible nodes:
73
#
74
#cluster.initial_master_nodes: ["node-1", "node-2"]
75
#
76
# For more information, consult the discovery and cluster formation module documentation.
77
#
78
# ---------------------------------- Gateway -----------------------------------
79
#
80
# Block initial recovery after a full cluster restart until N nodes are started:
81
#
82
#gateway.recover_after_nodes: 3
83
#
84
# For more information, consult the gateway module documentation.
85
#
86
# ---------------------------------- Various -----------------------------------
87
#
88
# Require explicit names when deleting indices:
89
#
90
#action.destructive_requires_name: true
91

92
######## Start OpenSearch Security Demo Configuration ########
93
# WARNING: revise all the lines below before you go into production
94
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/indexer.pem
95
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
96
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
97
plugins.security.ssl.transport.enforce_hostname_verification: false
98
plugins.security.ssl.transport.resolve_hostname: false
99
plugins.security.ssl.http.enabled: true
100
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/indexer.pem
101
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
102
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
103
plugins.security.allow_unsafe_democertificates: false
104
plugins.security.allow_default_init_securityindex: true
105
plugins.security.authcz.admin_dn:
106
  - CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US
107
plugins.security.enable_snapshot_restore_privilege: true
108
plugins.security.check_snapshot_restore_write_privileges: true
109
plugins.security.restapi.roles_enabled:
110
  ["all_access", "security_rest_api_access"]
111
plugins.security.system_indices.enabled: true
112
plugins.security.system_indices.indices:
113
  [
114
    ".plugins-ml-model",
115
    ".plugins-ml-task",
116
    ".opendistro-alerting-config",
117
    ".opendistro-alerting-alert*",
118
    ".opendistro-anomaly-results*",
119
    ".opendistro-anomaly-detector*",
120
    ".opendistro-anomaly-checkpoints",
121
    ".opendistro-anomaly-detection-state",
122
    ".opendistro-reports-*",
123
    ".opensearch-notifications-*",
124
    ".opensearch-notebooks",
125
    ".opensearch-observability",
126
    ".opendistro-asynchronous-search-response*",
127
    ".replication-metadata-store",
128
  ]
129
######## End OpenSearch Security Demo Configuration ########
130

131
plugins.security.nodes_dn:
132
  - CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US
133

134
### Option to allow Filebeat-oss 7.10.2 to work ###
135
compatibility.override_main_response_version: true

Production-Ready Configuration#

Complete Production opensearch.yml#

1
# ======================== OpenSearch Production Configuration =========================
2

3
# ---------------------------------- Cluster -----------------------------------
4
cluster.name: production-opensearch
5

6
# Prevent split brain
7
cluster.initial_master_nodes:
8
  - master-node-1
9
  - master-node-2
10
  - master-node-3
11

12
# Cluster routing settings
13
cluster.routing.allocation.disk.threshold_enabled: true
14
cluster.routing.allocation.disk.watermark.low: 85%
15
cluster.routing.allocation.disk.watermark.high: 90%
16
cluster.routing.allocation.disk.watermark.flood_stage: 95%
17

18
# ------------------------------------ Node ------------------------------------
19
node.name: ${NODE_NAME}
20
node.roles: [data, ingest, master, ml, remote_cluster_client]
21

22
# Node attributes for shard allocation awareness
23
node.attr.zone: ${ZONE}
24
node.attr.temp: hot
25

26
# ----------------------------------- Paths ------------------------------------
27
path.data: /var/lib/opensearch
28
path.logs: /var/log/opensearch
29
path.repo: /backup/opensearch
30

31
# ----------------------------------- Memory -----------------------------------
32
# Lock memory to prevent swapping
33
bootstrap.memory_lock: true
34

35
# ---------------------------------- Network -----------------------------------
36
network.host: ${NETWORK_HOST}
37
http.port: 9200
38
transport.port: 9300
39

40
# Bind to both loopback and external
41
network.bind_host: 0.0.0.0
42
network.publish_host: ${EXTERNAL_IP}
43

44
# --------------------------------- Discovery ----------------------------------
45
discovery.seed_hosts:
46
  - master-node-1:9300
47
  - master-node-2:9300
48
  - master-node-3:9300
49

50
# Minimum master nodes to prevent split brain
51
discovery.zen.minimum_master_nodes: 2
52

53
# ---------------------------------- Security ----------------------------------
54
plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/node.pem
55
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/node-key.pem
56
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
57
plugins.security.ssl.transport.enforce_hostname_verification: true
58
plugins.security.ssl.transport.resolve_hostname: true
59

60
plugins.security.ssl.http.enabled: true
61
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/node.pem
62
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/node-key.pem
63
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
64

65
# Security plugin settings
66
plugins.security.authcz.admin_dn:
67
  - CN=admin,OU=IT,O=Company,L=City,C=US
68

69
plugins.security.nodes_dn:
70
  - CN=*.opensearch.company.com,OU=IT,O=Company,L=City,C=US
71

72
plugins.security.audit.enable_rest: true
73
plugins.security.audit.enable_transport: false
74
plugins.security.audit.resolve_bulk_requests: true
75
plugins.security.audit.config.disabled_rest_categories: NONE
76
plugins.security.audit.config.disabled_transport_categories: NONE
77

78
# ---------------------------------- Performance -------------------------------
79
# Thread pool settings
80
thread_pool.search.size: 50
81
thread_pool.search.queue_size: 1000
82
thread_pool.write.size: 30
83
thread_pool.write.queue_size: 500
84

85
# Indexing buffer
86
indices.memory.index_buffer_size: 20%
87
indices.memory.min_index_buffer_size: 96mb
88

89
# Field data cache
90
indices.fielddata.cache.size: 30%
91

92
# Query cache
93
indices.queries.cache.size: 10%
94

95
# Request cache
96
indices.requests.cache.size: 2%
97

98
# Recovery settings
99
indices.recovery.max_bytes_per_sec: 100mb
100

101
# ---------------------------------- Monitoring --------------------------------
102
# Enable monitoring
103
http.cors.enabled: true
104
http.cors.allow-origin: "*"
105
http.cors.allow-headers: "X-Requested-With,X-Auth-Token,Content-Type,Content-Length,Authorization"
106
http.cors.allow-credentials: true
107

108
# ---------------------------------- Snapshot ----------------------------------
109
# Repository settings
110
repositories.url.allowed_urls:
111
  - "http://backup.company.com/*"
112
  - "https://s3.amazonaws.com/*"
113

114
# ----------------------------------- Misc -------------------------------------
115
# Prevent accidental cluster deletion
116
action.destructive_requires_name: true
117

118
# Script settings
119
script.allowed_types: inline, stored
120
script.allowed_contexts: search, update, ingest
121

122
# Machine learning
123
node.ml: true
124
xpack.ml.enabled: true

JVM Configuration#

jvm.options Configuration#

1
## JVM configuration
2

3
################################################################
4
## IMPORTANT: JVM heap size
5
################################################################
6
##
7
## You should always set the min and max JVM heap
8
## size to the same value. For example, to set
9
## the heap to 4 GB, set:
10
##
11
## -Xms4g
12
## -Xmx4g
13
##
14
## See https://opensearch.org/docs/latest/opensearch/install/important-settings/
15
## for more information
16
##
17
################################################################
18

19
# Xms represents the initial size of total heap space
20
# Xmx represents the maximum size of total heap space
21

22
-Xms16g
23
-Xmx16g
24

25
################################################################
26
## Expert settings
27
################################################################
28
##
29
## All settings below this section are considered
30
## expert settings. Don't tamper with them unless
31
## you understand what you are doing
32
##
33
################################################################
34

35
## GC configuration
36
8-13:-XX:+UseConcMarkSweepGC
37
8-13:-XX:CMSInitiatingOccupancyFraction=75
38
8-13:-XX:+UseCMSInitiatingOccupancyOnly
39

40
## G1GC Configuration
41
# NOTE: G1 GC is only supported on JDK version 10 or later
42
# to use G1GC, uncomment the next two lines and update the version on the
43
# following three lines to your version of the JDK
44
# 10-13:-XX:-UseConcMarkSweepGC
45
# 10-13:-XX:-UseCMSInitiatingOccupancyOnly
46
14-:-XX:+UseG1GC
47
14-:-XX:G1ReservePercent=25
48
14-:-XX:InitiatingHeapOccupancyPercent=30
49

50
## JVM temporary directory
51
-Djava.io.tmpdir=${OPENSEARCH_TMPDIR}
52

53
## heap dumps
54

55
# generate a heap dump when an allocation from the Java heap fails
56
# heap dumps are created in the working directory of the JVM
57
-XX:+HeapDumpOnOutOfMemoryError
58

59
# specify an alternative path for heap dumps; ensure the directory exists and
60
# has sufficient space
61
-XX:HeapDumpPath=/var/lib/opensearch
62

63
# specify an alternative path for JVM fatal error logs
64
-XX:ErrorFile=/var/log/opensearch/hs_err_pid%p.log
65

66
## JDK 8 GC logging
67
8:-XX:+PrintGCDetails
68
8:-XX:+PrintGCDateStamps
69
8:-XX:+PrintTenuringDistribution
70
8:-XX:+PrintGCApplicationStoppedTime
71
8:-Xloggc:/var/log/opensearch/gc.log
72
8:-XX:+UseGCLogFileRotation
73
8:-XX:NumberOfGCLogFiles=32
74
8:-XX:GCLogFileSize=64m
75

76
# JDK 9+ GC logging
77
9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/opensearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
78

79
# Enable preview features for Java 14+
80
14-:--enable-preview
81

82
# Performance settings
83
-XX:MaxDirectMemorySize=8g
84
-XX:+AlwaysPreTouch
85
-XX:+DisableExplicitGC
86
-XX:+UseStringDeduplication

Security Configuration#

Setting Up SSL/TLS#

1
#!/bin/bash
2
# Generate certificates for OpenSearch cluster
3

4
# Create CA
5
openssl genrsa -out root-ca-key.pem 2048
6
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 3650 \
7
  -subj "/C=US/ST=State/L=City/O=Company/OU=IT/CN=OpenSearch Root CA"
8

9
# Create node certificate
10
openssl genrsa -out node-key-temp.pem 2048
11
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
12
openssl req -new -key node-key.pem -out node.csr \
13
  -subj "/C=US/ST=State/L=City/O=Company/OU=IT/CN=*.opensearch.company.com"
14

15
# Sign certificate
16
openssl x509 -req -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem -days 3650
17

18
# Set permissions
19
chmod 600 *-key.pem
20
chmod 644 *.pem

Security Plugin Configuration#

1
_meta:
2
  type: "config"
3
  config_version: 2
4

5
config:
6
  dynamic:
7
    authc:
8
      basic_internal_auth_domain:
9
        description: "Authenticate via HTTP Basic against internal users database"
10
        http_enabled: true
11
        transport_enabled: true
12
        order: 0
13
        http_authenticator:
14
          type: basic
15
          challenge: true
16
        authentication_backend:
17
          type: intern
18

19
      ldap:
20
        description: "Authenticate via LDAP"
21
        http_enabled: true
22
        transport_enabled: true
23
        order: 1
24
        http_authenticator:
25
          type: basic
26
          challenge: true
27
        authentication_backend:
28
          type: ldap
29
          config:
30
            enable_ssl: true
31
            enable_start_tls: false
32
            enable_ssl_client_auth: false
33
            verify_hostnames: true
34
            hosts:
35
              - ldap.company.com:636
36
            bind_dn: cn=admin,dc=company,dc=com
37
            password: "ldap_password"
38
            userbase: ou=people,dc=company,dc=com
39
            usersearch: (uid={0})
40
            username_attribute: uid
41

42
    authz:
43
      roles_from_myldap:
44
        description: "Authorize via LDAP"
45
        http_enabled: true
46
        transport_enabled: true
47
        authorization_backend:
48
          type: ldap
49
          config:
50
            enable_ssl: true
51
            enable_start_tls: false
52
            enable_ssl_client_auth: false
53
            verify_hostnames: true
54
            hosts:
55
              - ldap.company.com:636
56
            bind_dn: cn=admin,dc=company,dc=com
57
            password: "ldap_password"
58
            rolebase: ou=groups,dc=company,dc=com
59
            rolesearch: (member={0})
60
            userroleattribute: null
61
            userrolename: memberOf
62
            rolename: cn
63
            resolve_nested_roles: true

Performance Tuning#

System Settings#

1
#!/bin/bash
2
# System performance tuning for OpenSearch
3

4
# Disable swap
5
sudo swapoff -a
6
sudo sed -i '/ swap / s/^/#/' /etc/fstab
7

8
# Set vm.max_map_count
9
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
10

11
# Set file descriptors
12
echo "* soft nofile 65535" | sudo tee -a /etc/security/limits.conf
13
echo "* hard nofile 65535" | sudo tee -a /etc/security/limits.conf
14
echo "* soft nproc 4096" | sudo tee -a /etc/security/limits.conf
15
echo "* hard nproc 4096" | sudo tee -a /etc/security/limits.conf
16

17
# Set memlock for opensearch user
18
echo "opensearch soft memlock unlimited" | sudo tee -a /etc/security/limits.conf
19
echo "opensearch hard memlock unlimited" | sudo tee -a /etc/security/limits.conf
20

21
# Apply sysctl settings
22
sudo sysctl -p
23

24
# Configure transparent huge pages
25
echo never | sudo tee /sys/kernel/mm/transparent_hugepage/enabled
26
echo never | sudo tee /sys/kernel/mm/transparent_hugepage/defrag
27

28
# Create systemd drop-in for OpenSearch
29
sudo mkdir -p /etc/systemd/system/opensearch.service.d
30
cat <<EOF | sudo tee /etc/systemd/system/opensearch.service.d/override.conf
31
[Service]
32
LimitNOFILE=65535
33
LimitNPROC=4096
34
LimitMEMLOCK=infinity
35
EOF
36

37
sudo systemctl daemon-reload

Index Settings for Performance#

1
{
2
  "settings": {
3
    "index": {
4
      "number_of_shards": 3,
5
      "number_of_replicas": 1,
6
      "refresh_interval": "30s",
7
      "translog": {
8
        "durability": "async",
9
        "sync_interval": "30s",
10
        "flush_threshold_size": "512mb"
11
      },
12
      "merge": {
13
        "scheduler": {
14
          "max_thread_count": 1
15
        },
16
        "policy": {
17
          "max_merged_segment": "5gb"
18
        }
19
      },
20
      "unassigned": {
21
        "node_left": {
22
          "delayed_timeout": "5m"
23
        }
24
      }
25
    },
26
    "analysis": {
27
      "analyzer": {
28
        "default": {
29
          "type": "standard",
30
          "stopwords": "_english_"
31
        }
32
      }
33
    }
34
  },
35
  "mappings": {
36
    "properties": {
37
      "@timestamp": {
38
        "type": "date"
39
      },
40
      "message": {
41
        "type": "text",
42
        "fields": {
43
          "keyword": {
44
            "type": "keyword",
45
            "ignore_above": 256
46
          }
47
        }
48
      }
49
    }
50
  }
51
}

Monitoring and Alerting#

Monitoring Configuration#

1
# Enable monitoring APIs
2
http.detailed_errors.enabled: true
3
rest.action.multi.allow_explicit_index: true
4

5
# Monitoring settings
6
monitoring.enabled: true
7
monitoring.collection.enabled: true
8
monitoring.collection.interval: 10s
9
monitoring.history.duration: 7d

Setting Up Alerts#

1
{
2
  "trigger": {
3
    "schedule": {
4
      "interval": {
5
        "period": 1,
6
        "unit": "MINUTES"
7
      }
8
    }
9
  },
10
  "input": {
11
    "search": {
12
      "request": {
13
        "indices": [".opensearch-cluster-stats*"],
14
        "body": {
15
          "query": {
16
            "bool": {
17
              "filter": [
18
                {
19
                  "range": {
20
                    "@timestamp": {
21
                      "gte": "now-5m"
22
                    }
23
                  }
24
                },
25
                {
26
                  "range": {
27
                    "nodes.jvm.mem.heap_used_percent": {
28
                      "gte": 90
29
                    }
30
                  }
31
                }
32
              ]
33
            }
34
          }
35
        }
36
      }
37
    }
38
  },
39
  "condition": {
40
    "compare": {
41
      "ctx.payload.hits.total.value": {
42
        "gt": 0
43
      }
44
    }
45
  },
46
  "actions": {
47
    "send_email": {
48
      "email": {
49
        "to": ["ops-team@company.com"],
50
        "subject": "High JVM Memory Usage Alert",
51
        "body": "OpenSearch cluster is experiencing high JVM memory usage (>90%)"
52
      }
53
    }
54
  }
55
}

Backup and Recovery#

Snapshot Repository Configuration#

1
# Create S3 repository
2
curl -XPUT "https://localhost:9200/_snapshot/s3_backup" \
3
  -H 'Content-Type: application/json' \
4
  -u admin:password \
5
  --insecure \
6
  -d '{
7
    "type": "s3",
8
    "settings": {
9
      "bucket": "opensearch-backups",
10
      "region": "us-east-1",
11
      "base_path": "snapshots",
12
      "compress": true,
13
      "chunk_size": "100mb",
14
      "max_restore_bytes_per_sec": "40mb",
15
      "max_snapshot_bytes_per_sec": "40mb"
16
    }
17
  }'
18

19
# Create snapshot policy
20
curl -XPUT "https://localhost:9200/_plugins/_sm/policies/daily_backup" \
21
  -H 'Content-Type: application/json' \
22
  -u admin:password \
23
  --insecure \
24
  -d '{
25
    "description": "Daily backup policy",
26
    "creation": {
27
      "schedule": {
28
        "cron": {
29
          "expression": "0 0 2 * * ?",
30
          "timezone": "UTC"
31
        }
32
      },
33
      "time_limit": "1h"
34
    },
35
    "deletion": {
36
      "condition": {
37
        "max_age": "30d",
38
        "max_count": 30,
39
        "min_count": 7
40
      },
41
      "time_limit": "1h"
42
    },
43
    "snapshot_config": {
44
      "indices": "*",
45
      "ignore_unavailable": true,
46
      "include_global_state": false,
47
      "partial": true
48
    }
49
  }'

Cluster Management#

Shard Allocation Filtering#

1
# Exclude a node from allocation
2
curl -XPUT "https://localhost:9200/_cluster/settings" \
3
  -H 'Content-Type: application/json' \
4
  -u admin:password \
5
  --insecure \
6
  -d '{
7
    "transient": {
8
      "cluster.routing.allocation.exclude._ip": "192.168.1.100"
9
    }
10
  }'
11

12
# Set allocation awareness
13
curl -XPUT "https://localhost:9200/_cluster/settings" \
14
  -H 'Content-Type: application/json' \
15
  -u admin:password \
16
  --insecure \
17
  -d '{
18
    "persistent": {
19
      "cluster.routing.allocation.awareness.attributes": "zone",
20
      "cluster.routing.allocation.awareness.force.zone.values": ["zone1", "zone2"]
21
    }
22
  }'

Index Lifecycle Management#

1
{
2
  "policy": {
3
    "description": "Hot-Warm-Cold architecture policy",
4
    "default_state": "hot",
5
    "states": [
6
      {
7
        "name": "hot",
8
        "actions": [
9
          {
10
            "rollover": {
11
              "min_size": "50gb",
12
              "min_index_age": "7d"
13
            }
14
          }
15
        ],
16
        "transitions": [
17
          {
18
            "state_name": "warm",
19
            "conditions": {
20
              "min_index_age": "7d"
21
            }
22
          }
23
        ]
24
      },
25
      {
26
        "name": "warm",
27
        "actions": [
28
          {
29
            "replica_count": {
30
              "number_of_replicas": 1
31
            }
32
          },
33
          {
34
            "shrink": {
35
              "number_of_shards": 1
36
            }
37
          },
38
          {
39
            "allocation": {
40
              "require": {
41
                "temp": "warm"
42
              }
43
            }
44
          }
45
        ],
46
        "transitions": [
47
          {
48
            "state_name": "cold",
49
            "conditions": {
50
              "min_index_age": "30d"
51
            }
52
          }
53
        ]
54
      },
55
      {
56
        "name": "cold",
57
        "actions": [
58
          {
59
            "replica_count": {
60
              "number_of_replicas": 0
61
            }
62
          },
63
          {
64
            "allocation": {
65
              "require": {
66
                "temp": "cold"
67
              }
68
            }
69
          }
70
        ],
71
        "transitions": [
72
          {
73
            "state_name": "delete",
74
            "conditions": {
75
              "min_index_age": "90d"
76
            }
77
          }
78
        ]
79
      },
80
      {
81
        "name": "delete",
82
        "actions": [
83
          {
84
            "delete": {}
85
          }
86
        ]
87
      }
88
    ]
89
  }
90
}

Troubleshooting#

Common Issues and Solutions#

High JVM Memory Usage

1
# Check heap usage
2
curl -XGET "https://localhost:9200/_nodes/stats/jvm?pretty" \
3
  -u admin:password --insecure
4

5
# Force garbage collection (use with caution)
6
curl -XPOST "https://localhost:9200/_nodes/_local/_hot_threads" \
7
  -u admin:password --insecure

Slow Queries

1
# Enable slow log
2
curl -XPUT "https://localhost:9200/_all/_settings" \
3
  -H 'Content-Type: application/json' \
4
  -u admin:password \
5
  --insecure \
6
  -d '{
7
    "index.search.slowlog.threshold.query.warn": "10s",
8
    "index.search.slowlog.threshold.query.info": "5s",
9
    "index.search.slowlog.threshold.query.debug": "2s",
10
    "index.search.slowlog.threshold.query.trace": "500ms",
11
    "index.search.slowlog.threshold.fetch.warn": "1s",
12
    "index.search.slowlog.threshold.fetch.info": "800ms",
13
    "index.search.slowlog.threshold.fetch.debug": "500ms",
14
    "index.search.slowlog.threshold.fetch.trace": "200ms"
15
  }'

Shard Allocation Issues

1
# Check allocation explanation
2
curl -XGET "https://localhost:9200/_cluster/allocation/explain?pretty" \
3
  -u admin:password --insecure
4

5
# Enable allocation
6
curl -XPUT "https://localhost:9200/_cluster/settings" \
7
  -H 'Content-Type: application/json' \
8
  -u admin:password \
9
  --insecure \
10
  -d '{
11
    "transient": {
12
      "cluster.routing.allocation.enable": "all"
13
    }
14
  }'

Best Practices#

Hardware Recommendations
- Use SSDs for data storage
- Minimum 64GB RAM for production
- Dedicate 50% of RAM to JVM heap (max 32GB)
- Use multiple data paths for better I/O
Index Design
- Use time-based indices for logs
- Implement proper mapping before indexing
- Use index templates for consistent settings
- Consider hot-warm-cold architecture
Security
- Always use TLS/SSL in production
- Implement strong authentication
- Regular security audits
- Keep OpenSearch updated
Monitoring
- Monitor cluster health continuously
- Set up alerts for critical metrics
- Regular backup verification
- Track query performance

Conclusion#

Proper OpenSearch configuration is crucial for building a reliable, performant, and secure search infrastructure. This guide provides a comprehensive foundation for production deployments, but remember to adjust settings based on your specific workload, hardware, and requirements. Regular monitoring, maintenance, and optimization are key to maintaining a healthy OpenSearch cluster.