How do I activate audit logs in OpenSearch Service?

3 minute read

I want to activate audit logs for Amazon OpenSearch Service.

Short description

Activating audit logs is a two-step process. First, configure your domain to publish audit logs to Amazon CloudWatch Logs. Then, activate and configure audit logs in OpenSearch Dashboards.

For more information, see Monitoring audit logs in Amazon OpenSearch Service.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Activate audit logs, and create an access policy

1. Open the OpenSearch Service console.

2. From the navigation pane, choose Domains, and then choose your domain.

3. Choose the Logs tab, choose Audit logs, and then choose Enable.

4. Create a CloudWatch log group, or choose an existing one.

5. Create an access policy similar to the following one:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "es.amazonaws.com"
      },
      "Action": [
        "logs:PutLogEvents",
        "logs:CreateLogStream"
      ],
      "Resource": "cw_log_group_arn"
    }
  ]
}

6. Choose Enable.

Activate audit logs in OpenSearch Dashboards

1. Open OpenSearch Dashboards, and then choose Security from the navigation pane.

2. Choose Audit logs.

3. Choose Enable audit logging.

For an example configuration, see Audit log example.

Troubleshoot audit log errors

You didn't configure advanced security options

The following error occurs when you activate audit logs, and fine-grained access control isn't activated on your domain:

"UpdateDomainConfig: {"message":"audit log publishing cannot be enabled as you do not have advanced security options configured."}"

To resolve this error, activate fine-grained access control.

Resource limit exceeded

The following error occurs when the maximum number of CloudWatch Logs resource policies is reached per AWS Region:

"PutResourcePolicy: {"__type":"LimitExceededException","message":"Resource limit exceeded."}"

You can have up to 10 CloudWatch Logs resource policies per Region, per account. You can't change this quota. For more information, see CloudWatch Logs quotas.

To activate logs for multiple domains, you can reuse a policy that includes multiple log groups.

Run the following AWS CLI command to check the resource policies in your account per Region:

aws logs describe-resource-policies --region <region-name>

Note: Replace region-name with your Region.

To update your resource policy to cover multiple log groups, add a wildcard character "*". You can also configure multiple statements from different resource policies for all log groups, and delete the old policies. For example, if your log group names begin with /aws/OpenSearchService/domains/, then you can create a resource policy that applies to /aws/OpenSearchService/domains/*.

The following example resource policy allows you to use a single resource policy for all log groups that begin with /aws/OpenSearchService/domains/*:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "Service": "es.amazonaws.com"

      },

      "Action": [

        "logs:PutLogEvents",

        "logs:CreateLogStream"

      ],

      "Resource": "arn:aws:logs:us-east-1:<account id>:log-group:/aws/OpenSearchService/domains/*:*"

    }

  ]

}

You can now select this updated policy when you activate audit logs.

The access policy for the CloudWatch Logs log group doesn't grant sufficient permissions

You might receive the following error when you try to activate audit log publishing:

"The Resource Access Policy specified for the CloudWatch Logs log group does not grant sufficient permissions for Amazon OpenSearch Service to create a log stream. Please check the Resource Access Policy."

To resolve this error, verify that the resource element of your policy includes the correct log group ARN.

Related information

How do I troubleshoot fine-grained access control issues in my OpenSearch Service cluster?

Troubleshooting Amazon OpenSearch Service

Topics

Serverless Analytics

Relevant content

Pushing audit logs in Kinesis Data Streams to CloudWatch Logs
AWS-User-0624041
asked 7 months ago
MS SQL Audit Logs to CloudWatch Logs
AWS-User-0624041
asked 7 months ago
Parsing Redshift Audit logs
tjtoll
asked 6 months ago
Aurora RDS Audit log
Guillermo Pisqui
asked 2 years ago
general log vs audit log
Accepted Answer
AWS-User-1102301
asked 4 years ago
How do I view my AWS CloudHSM audit logs?
AWS OFFICIALUpdated 3 years ago
How can I enable audit logging for an Amazon RDS for MySQL or MariaDB instance and publish the logs to CloudWatch?
AWS OFFICIALUpdated a year ago
How can I turn on audit logging for my Amazon Aurora MySQL-Compatible DB cluster and publish the logs to CloudWatch?
AWS OFFICIALUpdated 2 years ago
How do I turn on audit logging in Amazon Redshift and Amazon Redshift Serverless?
AWS OFFICIALUpdated 2 years ago
How to customize audit logs in OpenSearch to see which queries were run by users?
EXPERT
Cathy W
published 2 months ago