Installing OpenSearch

Overview

Graylog 4.3 introduces the ability for users to choose between Elasticsearch v7.10 and OpenSearch v1.1, 1.2, or 1.3.

Prerequisites

• Graylog 4.3 is required prior to OpenSearch installation. Earlier versions of Graylog are not compatible with OpenSearch.
• Graylog 4.3 is compatible with OpenSearch v1.1, 1.2, or 1.3.
• Graylog Security users, including those utilizing Anomaly Detection, must use OpenSearch v1.2 or 1.3.
• Before installing, ensure that you have obtained a working DNS or host file updated with the interface used for OpenSearch traffic.

Debian / Ubuntu

The recommended method of installation is to follow the user documentation provided by the OpenSource service. To set up your OpenSearch service with your Graylog instance, read the following recommendations and guidance.

Installation Prerequisites

We recommend you begin by downloading the latest version of OpenJDK.

sudo apt-get install openjdk-11-jdk

Additionally, you may also prefer to disable transparent hugepages to improve performance.

sudo su

cat > /etc/systemd/system/disable-transparent-huge-pages.service <<EOF
Description=Disable Transparent Huge Pages (THP)
DefaultDependencies=no
After=sysinit.target local-fs.target
[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never | tee /sys/kernel/mm/transparent_hugepage/enabled > /dev/null'
[Install]
WantedBy=basic.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable disable-transparent-huge-pages.service
sudo systemctl start disable-transparent-huge-pages.service

Tarball Installation

Create your OpenSearch user.

sudo adduser --system --disabled-password --disabled-login --home /var/empty --no-create-home --quiet --force-badname --group opensearch

Now, you can begin the installation of the OpenSearch tarball. Full instructions for tarball installation are recorded in the OpenSearch documentation.

#Download Opensearch 1.1.0
wget https://artifacts.opensearch.org/releases/bundle/opensearch/1.1.0/opensearch-1.1.0-linux-x64.tar.gz

#Create Directories
sudo mkdir -p /graylog/opensearch/data
sudo mkdir /var/log/opensearch

#Extract Contents from tar
sudo tar -zxf opensearch-1.1.0-linux-x64.tar.gz 
sudo mv opensearch-1.1.0/* /graylog/opensearch/

#Set Permissions
sudo chown -R opensearch:opensearch /graylog/opensearch/
sudo chown -R opensearch:opensearch /var/log/opensearch
sudo chmod -R 2750 /graylog/opensearch/
sudo chmod -R 2750 /var/log/opensearch

#Create empty log file
sudo -u opensearch touch /var/log/opensearch/graylog.log

#Create System Service
sudo su
cat > /etc/systemd/system/opensearch.service <<EOF
[Unit]
Description=Opensearch
Documentation=https://opensearch.org/docs/latest
Requires=network.target remote-fs.target
After=network.target remote-fs.target
ConditionPathExists=/graylog/opensearch
ConditionPathExists=/graylog/opensearch/data
[Service]
Environment=OPENSEARCH_HOME=/graylog/opensearch
Environment=OPENSEARCH_PATH_CONF=/graylog/opensearch/config
ReadWritePaths=/var/log/opensearch
User=opensearch
Group=opensearch
WorkingDirectory=/graylog/opensearch
ExecStart=/graylog/opensearch/bin/opensearch
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=180
[Install]
WantedBy=multi-user.target
EOF

Graylog Configuration

Begin by opening the yml file.

nano /graylog/opensearch/config/opensearch.yml

Update the following fields for a minimum unsecured running state.

cluster.name: graylog
node.name: ${HOSTNAME}
path.data: /graylog/opensearch/data
path.logs: /var/log/opensearch
network.host: ${HOSTNAME}
discovery.seed_hosts: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
cluster.initial_master_nodes: ["SERVERNAME01", "SERVERNAME02", "SERVERNAME03"]
action.auto_create_index: false
plugins.security.disabled: true

Enable JVM options.

sudo nano /graylog/opensearch/config/jvm.options

Now, update the XMS settings with half of the installed system memory.

Xms31g
Xmx31g

Configure the kernel parameters at runtime.

sudo sysctl -w vm.max_map_count=262144
sudo echo 'vm.max_map_count=262144' >> /etc/sysctl.conf

Finally, enable the system service.

sudo systemctl daemon-reload
sudo systemctl enable opensearch.service
sudo systemctl start opensearch.service

CentOS

Instructions for installing OpenSearch may be found in the user documentation provided by the service. Further recommendations regarding OpenSearch and your Graylog instance in a CentOS environment are coming soon.