Support URLs instead of IPs on external_opensearch option for audit logs

Versions:
OpenSearch v2.9.0

Describe the issue:
I want to centralise the audit logging of all our clusters into one, using the external_opensearch option of audit logs, targeting an external OpenSearch cluster.

As explained in the official documentation, I need to specify a comma-separated list of hosts/IP addresses and the REST port, like the following:

plugins.security.audit.config.http_endpoints: [192.168.178.1:9200,192.168.178.2:9200]

As expected, things like [localhost:9200,localhost:9201] also work.

What doesn’t work is setting an actual URL there, like https://my-opensearch-cluster.company.com:9200 or https://my-opensearch-cluster.company.com:443/opensearch. This will persist even if the hosts behind the cluster change.
At the moment, if a cluster changes hosts, I need to adapt and restart all clusters, to pick up the new IPs.

Am I missing something, or the possibility of using an actual URL that corresponds to an OpenSearch cluster on plugins.security.audit.config.http_endpoints (or similar setting) is not yet there?

Note: In case this is indeed not possible, I’ve created a github issue

Hi @spapadop

Could you share the opensearch.yml file ? Have you tried to add TLS settings?

In my lab, It will work if I add: plugins.security.audit.config.http_endpoints: [my-opensearch-cluster.company.com:9200] and also add the following TLS settings:

Thanks @Eugene7, my mistake was to use

https://my-opensearch-cluster.company.com:9200

instead of

my-opensearch-cluster.company.com:9200

I am not sure if having https prefix should be supported or not.

Also, another thing that does not work is things like

my-opensearch-cluster.company.com:9200/opensearch

just for cases opensearch engine is running in a specified path.

In any case, I’ll raise these on github and let’s see what they’ll say.

Thanks again for the support!