KTS7
KTS7 copied to clipboard
StamusNetworks
Explicitly support OpenSearch
OpenSearch is a open source clone of ElasticSearch which has gone source available only with restrictive licensing (SSPL/Elasticv2). We are preferring OpenSearch for this reason. For now the dashboards will probably work out of the box (since they didn't really deviate), but this might change in the future.
Could you support OpenSearch as well?
We can definitely consider it. I personally am not familiar with OpenSearch. Have you experienced any issues or do you foresee any issues?
I'm currently testing, so far it going well, but that is to be expected. OpenSearch was forked from the 7.10.2 versions of the ELK stack so the differences are minimal. OpenSearch is gaining traction because of the licensing change of Elastic and the whole vibe that caused. ElasticSearch is creating a walled garden and preventing interoperability with OpenSearch.
For now they are extremely similar but during a community meeting the maintainers have indicated that each project will go their separate ways eventually. So over time there will be some differences. Suricata itself and the log aggregator (logstash) will be fine, OpenSearch released output plugins already because of the licensing checks built in by Elastic. Another option is FluentD/Bit.
If things will break, they will break in the Kibana dashboards.
Been testing today, as far as I can see the dashboards are fine for now. It is more something to take into account with future developments of Suricata to explicitly check whether everything is working for OpenSearch as well :)
So my question is to formally support OpenSearch (which involves no work - at this time) :)