Versions (relevant - OpenSearch):
Describe the issue:
Hi everyone, I’m new to OpenSearch, and I have just set up a system for AWS with a given CloudFormation Template.
I’ve been trying to upload my EC2 linux security logs and message logs to OpenSearch, but I cannot find them. However, I am able to find it with the Dev Tool API, and it does display it in the index. Is anyone able to help me fix this issue? Thank you!
EDIT: I found the issue - the logs are apparently in the future, so I cannot select “now” in the time range. Is anyone able to help me resolve this instead? Thank you in advance!
Configuration:
siem-on-amazon-opensearch-service/docs/configure_aws_service.md at main · aws-samples/siem-on-amazon-opensearch-service
I followed the instructions here for EC2, with the exception that I placed the configuration locally rather than on SSM, but I don’t see how that can be a big issue.
Relevant Logs or Screenshots:
Here, there is nothing displayed with that index pattern (which should be correct, even with log-* it does not display)
I can’t upload further evidence, but there are 5 documents available in that index.
<SNIP>
{
"took": 2,
"timed_out": false,
"_shards": {
"total": 3,
"successful": 3,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 5,
"relation": "eq"
},
"max_score": 1,
"hits": [
{
"_index": "log-linux-secure-2025-02",
"_id": "23478efdd32de6294ffffd1beff072e8",
"_score": 1,
"_source": {
"syslog_timestamp": "Feb 13 12:06:05",
"hostname": "ip-172-31-4-211",
"proc": "sudo",
"syslog_message": "ssm-user : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/bin/nano /opt/aws/amazon-cloudwatch-agent/bin/config.json",
"@message": "Feb 13 12:06:05 ip-172-31-4-211 sudo: ssm-user : TTY=pts/0 ; PWD=/ ; USER=root ; COMMAND=/bin/nano /opt/aws/amazon-cloudwatch-agent/bin/config.json",
<SNIP>
Here is what I got from the API.
Thank you in advance!