SigSentrySigSentry
Log Sources

Elastic / OpenSearch

Connect Elasticsearch, Elastic Cloud, or OpenSearch to SigSentry

The Elastic adapter works with Elasticsearch (self-hosted or Elastic Cloud) and OpenSearch (Amazon OpenSearch Service or self-hosted). The query API is compatible across both.

Prerequisites

NeedNotes
Elasticsearch / OpenSearch URLe.g. https://es.company.com:9200 or https://search-prod.us-east-1.es.amazonaws.com
AuthenticationAPI key (recommended), Basic auth, or AWS SigV4 for OpenSearch on AWS
IndicesThe indices to query

Setup walkthrough

Generate an API key

For Elasticsearch / Elastic Cloud, in Kibana go to Stack Management → API Keys → Create API key. Limit it to read-only on the indices SigSentry needs.

For Amazon OpenSearch Service, you'll typically use master-user Basic auth or IAM-signed requests. The Elastic adapter supports both — choose based on what your OpenSearch domain accepts.

For Amazon OpenSearch with fine-grained access control, create a dedicated user with read permissions on the relevant indices and use Basic auth.

Add the log source in SigSentry

Project → Log Sources → Add log source. Pick Elastic / OpenSearch and name it descriptively, e.g. elastic-prod.

Enter connection details

FieldValue
URLThe full Elasticsearch / OpenSearch URL, e.g. https://es.example.com:9200
API keyAPI key (recommended) — sent as Authorization: ApiKey ...
Username + passwordBasic auth alternative

You can also leave both blank for unauthenticated clusters (rare in production).

Add indices

Paste the index names or patterns into the Indices field, one per line. Index patterns with wildcards work:

prod-app-logs-*
prod-api-logs-*
prod-billing-2026-*

Test and save

Click Test connection. You should see Connected plus sample documents from a small recent window. Click Save.

What you'll see in results

Each Elastic log line shown in an analysis includes:

  • Timestamp (from @timestamp by default)
  • Log level (from log.level, level, or severity)
  • Service name (from service.name, kubernetes.labels.app, or host.name)
  • Message
  • Other top-level fields carried through as metadata

If your indices use a custom timestamp field, mention it in your project AI context so the analysis knows which field to interpret.

Quirks

QuirkNotes
Custom timestamp fieldIf your indices use something other than @timestamp, configure it in the project AI context
Multiple clustersAdd a separate log source per cluster
OpenSearch on AWSIAM SigV4 auth available; OpenSearch Service requires either master user or fine-grained roles

Troubleshooting

ErrorFix
401 UnauthorizedAPI key invalid or expired; regenerate
403 ForbiddenUser lacks read on one of the configured indices
404 index_not_found_exceptionAn index in your list doesn't exist; remove or fix the pattern
Slow queriesIndices too broad; narrow with date-suffix patterns or use rollover indices

Splunk

Connect Splunk Enterprise or Splunk Cloud to SigSentry using a search head and authentication token

GCP Cloud Logging

Connect Google Cloud Logging using a service account with read access

On this page

Prerequisites
Setup walkthrough
Generate an API key
Add the log source in SigSentry
Enter connection details
Add indices
Test and save
What you'll see in results
Quirks
Troubleshooting