> ## Documentation Index
> Fetch the complete documentation index at: https://docs.traversal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OpenSearch

> Connect OpenSearch to query log and event indices during investigations.

Connecting OpenSearch allows Traversal to query your log/event indices and use matching documents as evidence during investigations.

## What Traversal reads

* **Logs** — documents queried from your log and event indices

## Setup

<Steps>
  <Step title="Find your OpenSearch hosts">
    Enter one or more OpenSearch host URLs, such as `https://opensearch.mycompany.com:9200`.
  </Step>

  <Step title="Choose an authentication method">
    <Info>
      OpenSearch deployments expose credentials in different formats. In Traversal, choose the option that matches the credential your OpenSearch administrator gives you.
    </Info>

    <Tabs>
      <Tab title="Username and password">
        In OpenSearch Dashboards, create or choose a read-only role that can query the indices Traversal should access, then create a user and assign that role.
      </Tab>

      <Tab title="API key">
        Use this option if your OpenSearch deployment gives you a single encoded API key value.

        Ask your OpenSearch administrator to create an API key with read-only access to the indices Traversal should query, then copy the full encoded key value into Traversal.
      </Tab>

      <Tab title="API key with ID">
        Use this option if your OpenSearch deployment gives you two values: an API key ID and an API key secret.

        Ask your OpenSearch administrator to create a read-only API key, then copy the **API Key ID** and **API Key Secret** into the matching fields in Traversal.
      </Tab>

      <Tab title="Bearer token">
        Use this option only if your OpenSearch cluster already accepts `Authorization: Bearer <token>` headers, typically through JWT authentication.

        Ask your OpenSearch administrator or identity team to issue a token for a user or service principal that has read access to the target indices. The token must be signed by an issuer your cluster trusts, and its subject or role claims must map to permissions OpenSearch recognizes.

        Before saving the integration, test the token with a simple read request:

        ```bash theme={null}
        curl -H "Authorization: Bearer $TOKEN" https://opensearch.example.com:9200/_cluster/health
        ```

        <Warning>
          OpenSearch On-Behalf-Of tokens are short-lived, so they are usually not a good fit for a saved integration unless you rotate them automatically.
        </Warning>
      </Tab>
    </Tabs>
  </Step>

  <Step title="Configure in Traversal">
    Go to **Company Knowledge > Integrations**, select OpenSearch, and enter your host URLs and credentials.

    If you want clickable links from Traversal back to your OpenSearch UI, optionally set **Base URL for UI** to your OpenSearch Dashboards URL.
  </Step>
</Steps>

## More information

* [OpenSearch access control](https://docs.opensearch.org/docs/latest/security/access-control/)
* [OpenSearch JWT authentication](https://opensearch.org/docs/latest/security/authentication-backends/jwt/)
* [OpenSearch authorization tokens](https://docs.opensearch.org/latest/security/access-control/authentication-tokens/)