Hi,
I am using AWS Managed OpenSearch (version 2.17) and ingesting logs via Logstash, which collects logs from Filebeat and Auditbeat on my servers.
I have configured Logstash to create monthly indexes using the Logstash output plugin. My current lifecycle approach:
- Move indexes to read-only after a month using
index.blocks.write. - Drop indexes after 90 days using an ILM policy.
I was wondering if OpenSearch has a built-in setting for immutability on active indexes.
Specifically, once Logstash writes data to an OpenSearch index, is there a way to prevent any modifications or deletions while still allowing new writes?
I know that index.blocks.write makes indexes read-only, but enabling this on an active index would also block new writes, which is not ideal.
I understand that role-based authentication (RBAC) can restrict users from modifying data, but I wanted to check if OpenSearch provides any direct setting for making already written data immutable while keeping the index writable for new documents.
Would appreciate any insights!
Thanks.