OpenSearch audit logs can be used to help determine the search request loads on a given domain.
Audit logs are grouped into 2 different categories
- REST layer - communication with HTTP clients ie. all HTTP requests that arrive at the cluster
- Transport layer - communication between nodes
In this example we can explore how to enable REST layer audit logs and find search operations within these logs
- Enable audit logs - AWS Console
Navigate to the OpenSearch page on the AWS console, select your domain, select the logs section and then enable audit logs
Follow the prompts to create a CloudWatch log group and access policy
- Enable audit logs - OpenSearch Dashboard
Log into the OpenSearch dashboard, navigate to the security page, then to the audit logs section. Enable the REST layer audit. Enable logging of the REST body if desired.
Logging on the REST layer is now enabled. Make several requests to the OpenSearch domain to generate logs
- View REST audit logs in CloudWatch
The audit logs will be populated in the CloudWatch log group you created or selected when you enabled audit logs. Navigate to the CloudWatch log group and then log stream. You can search the log stream for _search
This returns requests with _search as part of the request ULR. Understanding search request volumes can help you understand the search request load at different dates / times