- 22 Jun 2022
- 3 Minutes to read
-
Print
-
DarkLight
Installing OpenSearch
- Updated on 22 Jun 2022
- 3 Minutes to read
-
Print
-
DarkLight
Overview
Graylog 4.3 introduces the ability for users to choose between Elasticsearch v7.10 and OpenSearch v1.1, 1.2, or 1.3.
Prerequisites
- Graylog 4.3 is required prior to OpenSearch installation. Earlier versions of Graylog are not compatible with OpenSearch.
- Graylog 4.3 is compatible with OpenSearch v1.1, 1.2, or 1.3.
- Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.
- Before installing, ensure that you have obtained a working DNS or host file updated with the interface used for OpenSearch traffic.
Debian / Ubuntu
The recommended method of installation is to follow the user documentation provided by the OpenSource service. To set up your OpenSearch service with your Graylog instance, read the following recommendations and guidance.
Installation Prerequisites
We recommend you begin by downloading the latest version of OpenJDK.
sudo apt-get install openjdk-11-jdk
Additionally, you may also prefer to disable transparent hugepages to improve performance.
sudo su
cat > /etc/systemd/system/disable-transparent-huge-pages.service <<EOF
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable disable-transparent-huge-pages.service
sudo systemctl start disable-transparent-huge-pages.service
Tarball Installation
Do not run the included demo script! This will prevent changes in the configuration from taking effect indefinitely!
Create your OpenSearch user.
sudo adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group opensearch
Now, you can begin the installation of the OpenSearch tarball. Full instructions for tarball installation are recorded in the OpenSearch documentation.
#Download Opensearch 1.1.0
wget https://artifacts.opensearch.org/releases/bundle/opensearch/1.1.0/opensearch-1.1.0-linux-x64.tar.gz
#Create Directories
sudo mkdir -p /graylog/opensearch/data
sudo mkdir /var/log/opensearch
#Extract Contents from tar
sudo tar -zxf opensearch-1.1.0-linux-x64.tar.gz
sudo mv opensearch-1.1.0/* /graylog/opensearch/
#Set Permissions
sudo chown -R opensearch:opensearch /graylog/opensearch/
sudo chown -R opensearch:opensearch /var/log/opensearch
sudo chmod -R 2750 /graylog/opensearch/
sudo chmod -R 2750 /var/log/opensearch
#Create empty log file
sudo -u opensearch touch /var/log/opensearch/graylog.log
#Create System Service
sudo su
cat > /etc/systemd/system/opensearch.service <<EOF
[Unit]
Description=Opensearch
Documentation=https://opensearch.org/docs/latest
Requires=network.target remote-fs.target
After=network.target remote-fs.target
ConditionPathExists=/graylog/opensearch
ConditionPathExists=/graylog/opensearch/data
[Service]
Environment=OPENSEARCH_HOME=/graylog/opensearch
Environment=OPENSEARCH_PATH_CONF=/graylog/opensearch/config
ReadWritePaths=/var/log/opensearch
User=opensearch
Group=opensearch
WorkingDirectory=/graylog/opensearch
ExecStart=/graylog/opensearch/bin/opensearch
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
EOF
Graylog Configuration
Begin by opening the yml
file.
nano /graylog/opensearch/config/opensearch.yml
Update the following fields for a minimum unsecured running state.
cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /graylog/opensearch/data
path.logs: /var/log/opensearch
network.host: ${HOSTNAME}
discovery.seed_hosts: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
cluster.initial_master_nodes: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
action.auto_create_index: false
plugins.security.disabled: true
Enable JVM options.
sudo nano /graylog/opensearch/config/jvm.options
Now, update the XMS settings with half of the installed system memory.
There is a known issue with OpenSearch's memory allocation algorithm. The maximum for these configuration items is therefore 31GB. Going above this maximum will cause issues!
Xms31g
Xmx31g
Configure the kernel parameters at runtime.
sudo sysctl -w vm.max_map_count=262144
sudo echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
Finally, enable the system service.
sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service
CentOS
Instructions for installing OpenSearch may be found in the user documentation provided by the service. Further recommendations regarding OpenSearch and your Graylog instance in a CentOS environment are coming soon.