How to make active indexes Immutable?

Hi,

I am using AWS Managed OpenSearch (version 2.17) and ingesting logs via Logstash, which collects logs from Filebeat and Auditbeat on my servers.

I have configured Logstash to create monthly indexes using the Logstash output plugin. My current lifecycle approach:

  • Move indexes to read-only after a month using index.blocks.write.
  • Drop indexes after 90 days using an ILM policy.

I was wondering if OpenSearch has a built-in setting for immutability on active indexes.
Specifically, once Logstash writes data to an OpenSearch index, is there a way to prevent any modifications or deletions while still allowing new writes?

I know that index.blocks.write makes indexes read-only, but enabling this on an active index would also block new writes, which is not ideal.

I understand that role-based authentication (RBAC) can restrict users from modifying data, but I wanted to check if OpenSearch provides any direct setting for making already written data immutable while keeping the index writable for new documents.

Would appreciate any insights!

Thanks.

You can use the create action in logstash.

output {
opensearch {
hosts => [“https://hostname:port”]
auth_type => {
type => ‘basic’
user => ‘admin’
password => ‘’
}
index => “my-data-stream”
action => “create”
}
}

In general using data streams in Opensearch prevents indexing requests that are not of type “create”. However update-by-query and delete-by-query are still possible.