# Monitoring Amazon OpenSearch Serverless
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon OpenSearch Serverless and your other AWS solutions. AWS provides the following monitoring tools to watch OpenSearch Serverless, report when something is wrong, and take automatic actions when appropriate:
+ *Amazon CloudWatch* monitors your AWS resources and the applications that you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify.
For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account. It delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ *Amazon EventBridge* delivers a near real-time stream of system events that describe changes in your OpenSearch Service domains. You can create rules that watch for certain events, and trigger automated actions in other AWS services when these events occur. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
# Monitoring OpenSearch Serverless with Amazon CloudWatch
You can monitor Amazon OpenSearch Serverless using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. These statistics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing.
You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
OpenSearch Serverless reports the following metrics in the `AWS/AOSS` namespace.
| Metric | Description |
| --- | --- |
| ActiveCollection | Indicates whether a collection is active. A value of 1 means that the collection is in an `ACTIVE` state. This value is emitted upon successful creation of a collection and remains 1 until you delete the collection. The metric can't have a value of 0. **Relevant statistics**: Max **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| DeletedDocuments | The total number of deleted documents. **Relevant statistics**: Average, Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| IndexingOCU | The number of OpenSearch Compute Units (OCUs) used to ingest collection data. This metric applies at the account level. Represents usage only for collections that are not part of any collection group. **Relevant statistics**: Sum **Dimensions**: `ClientId` **Frequency**: 60 seconds |
| IndexingOCU | The number of OpenSearch Compute Units (OCUs) used to ingest collection data. This metric applies at the collection group level. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionGroupId`, `CollectionGroupName` **Frequency**: 60 seconds |
| IngestionDataRate | The indexing rate in GiB per second to a collection or index. This metric only applies to bulk indexing requests. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| IngestionDocumentErrors | The total number of document errors during ingestion for a collection or index. After a successful bulk indexing request, writers process the request and emit errors for all failed documents within the request. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| IngestionDocumentRate | The rate per second at which documents are being ingested to a collection or index. This metric only applies to bulk indexing requests. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| IngestionRequestErrors | The total number of bulk indexing request errors to a collection. OpenSearch Serverless emits this metric when a bulk indexing request fails for any reason, such as an authentication or availability issue. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| IngestionRequestLatency | The latency, in seconds, for bulk write operations to a collection. **Relevant statistics**: Minimum, Maximum, Average **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| IngestionRequestRate | The total number of bulk write operations received by a collection. **Relevant statistics**: Minimum, Maximum, Average **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| IngestionRequestSuccess | The total number of successful indexing operations to a collection. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| SearchableDocuments | The total number of searchable documents in a collection or index. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| SearchRequestErrors | The total number of query errors per minute for a collection. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| SearchRequestLatency | The average time, in milliseconds, that it takes to complete a search operation against a collection. **Relevant statistics**: Minimum, Maximum, Average **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| SearchOCU | The number of OpenSearch Compute Units (OCUs) used to search collection data. This metric applies at the account level. Represents usage only for collections that are not part of any collection group. **Relevant statistics**: Sum **Dimensions**: `ClientId` **Frequency**: 60 seconds |
| SearchOCU | The number of OpenSearch Compute Units (OCUs) used to search collection data. This metric applies at the collection group level. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionGroupId`, `CollectionGroupName` **Frequency**: 60 seconds |
| SearchRequestRate | The total number of search requests per minute to a collection. **Relevant statistics**: Average, Maximum, Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
| StorageUsedInS3 | The amount, in bytes, of Amazon S3 storage used. OpenSearch Serverless stores indexed data in Amazon S3. You must select the period at one minute to get an accurate value. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName`, `IndexId`, `IndexName` **Frequency**: 60 seconds |
| VectorIndexBuildAccelerationOCU | The number of OpenSearch Compute Units (OCUs) used to accelerate vector indexing. This metric applies at the collection level. **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId` **Frequency**: 60 seconds |
| 2xx, 3xx, 4xx, 5xx | The number of requests to the collection that resulted in the given HTTP response code (2*xx*, 3*xx*, 4*xx*, 5*xx*). **Relevant statistics**: Sum **Dimensions**: `ClientId`, `CollectionId`, `CollectionName` **Frequency**: 60 seconds |
# Logging OpenSearch Serverless API calls using AWS CloudTrail
Amazon OpenSearch Serverless is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Serverless.
CloudTrail captures all API calls for OpenSearch Serverless as events. The calls captured include calls from the Serverless section of the OpenSearch Service console and code calls to the OpenSearch Serverless API operations.
If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for OpenSearch Serverless. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**.
Using the information collected by CloudTrail, you can determine the request that was made to OpenSearch Serverless, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
## OpenSearch Serverless information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in OpenSearch Serverless, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for OpenSearch Serverless, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions.
The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All OpenSearch Serverless actions are logged by CloudTrail and are documented in the [OpenSearch Serverless API reference](https://docs.aws.amazon.com/opensearch-service/latest/ServerlessAPIReference/Welcome.html). For example, calls to the `CreateCollection`, `ListCollections`, and `DeleteCollection` actions generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## OpenSearch Serverless data events in CloudTrail
[Data events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events) provide information about the resource operations performed on or in a resource (for example, searching or indexing to an OpenSearch Serverless Collection). These are also known as data plane operations. Data events are often high-volume activities. By default, CloudTrail doesn’t log data events. The CloudTrail **Event history** doesn't record data events.
Additional charges apply for data events. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
You can log data events for the `AWS::AOSS::Collection` resource types by using the CloudTrail console, AWS CLI, or CloudTrail API operations. For more information about how to log data events, see [Logging data events with the AWS Management Console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#logging-data-events-console) and [Logging data events with the AWS Command Line Interface](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html#creating-data-event-selectors-with-the-AWS-CLI) in the *AWS CloudTrail User Guide*.
You can configure advanced event selectors to filter on the `eventName`, `readOnly`, and `resources.ARN` fields to log only those events that are important to you. For more information about these fields, see [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_AdvancedFieldSelector.html) in the *AWS CloudTrail API Reference*.
## Understanding OpenSearch Serverless Data Event entries
In the following example:
+ The `requestParameters` field contains details about the API call made to the collection. It includes the base request path (without query parameters).
+ The `responseElements` field includes a status code that indicates the outcome of your request when modifying resources. This status code helps you track whether your changes were processed successfully or require attention.
+ OpenSearch Serverless logs CloudTrail data events only for requests that have successfully completed IAM authentication.
**Example**
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROA123456789EXAMPLE",
"arn": "arn:aws::sts::111122223333:assumed-role/Admin/user-role",
"accountId": "111122223333",
"accessKeyId": "access-key",
"userName": "",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROA123456789EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2025-08-15T22:57:38Z",
"mfaAuthenticated": "false"
},
"sourceIdentity": "",
"ec2RoleDelivery": "",
"assumedRoot": ""
},
"identityProvider": "",
"credentialId": ""
},
"eventTime": "2025-08-15T22:58:00Z",
"eventSource": "aoss.amazonaws.com",
"eventName": "Search",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "python-requests/2.32.3",
"requestParameters": {
"pathPrefix": "/_search"
},
"responseElements": null,
"requestID": "2cfee788-EXAM-PLE1-8617-4018cEXAMPLE",
"eventID": "48d43617-EXAM-PLE1-9d9c-f7EXAMPLE",
"readOnly": true,
"resources": [
{
"type": "AWS::AOSS::Collection",
"ARN": "arn:aws:aoss:us-east-1:111122223333:collection/aab9texampletu45xh77"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "111122223333",
"eventCategory": "Data"
}
]
}
```
## Understanding OpenSearch Serverless Management Events entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries.
An event represents a single request from any source. It includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example displays a CloudTrail log entry that demonstrates the `CreateCollection` action.
```
{
"eventVersion":"1.08",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/test-user",
"accountId":"123456789012",
"accessKeyId":"access-key",
"sessionContext":{
"sessionIssuer":{
"type":"Role",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:role/Admin",
"accountId":"123456789012",
"userName":"Admin"
},
"webIdFederationData":{
},
"attributes":{
"creationDate":"2022-04-08T14:11:34Z",
"mfaAuthenticated":"false"
}
}
},
"eventTime":"2022-04-08T14:11:49Z",
"eventSource":"aoss.amazonaws.com",
"eventName":"CreateCollection",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-cli/2.1.30 Python/3.8.8 Linux/5.4.176-103.347.amzn2int.x86_64 exe/x86_64.amzn.2 prompt/off command/aoss.create-collection",
"errorCode":"HttpFailureException",
"errorMessage":"An unknown error occurred",
"requestParameters":{
"accountId":"123456789012",
"name":"test-collection",
"description":"A sample collection",
"clientToken":"d3a227d2-a2a7-49a6-8fb2-e5c8303c0718"
},
"responseElements": null,
"requestID":"12345678-1234-1234-1234-987654321098",
"eventID":"12345678-1234-1234-1234-987654321098",
"readOnly":false,
"eventType":"AwsApiCall",
"managementEvent":true,
"recipientAccountId":"123456789012",
"eventCategory":"Management",
"tlsDetails":{
"clientProvidedHostHeader":"user.aoss-sample.us-east-1.amazonaws.com"
}
}
```
# Monitoring OpenSearch Serverless events using Amazon EventBridge
Amazon OpenSearch Service integrates with Amazon EventBridge to notify you of certain events that affect your domains. Events from AWS services are delivered to EventBridge in near real time. The same events are also sent to [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatchEvents.html), the predecessor of Amazon EventBridge. You can write rules to indicate which events are of interest to you, and what automated actions to take when an event matches a rule. Examples of actions that you can automatically activate include the following:
+ Invoking an AWS Lambda function
+ Invoking an Amazon EC2 Run Command
+ Relaying the event to Amazon Kinesis Data Streams
+ Activating an AWS Step Functions state machine
+ Notifying an Amazon SNS topic or an Amazon SQS queue
For more information, see [Get started with Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-get-started.html) in the *Amazon EventBridge User Guide*.
## Setting up notifications
You can use [AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/what-is-service.html) to receive notifications when an OpenSearch Serverless event occurs. An event is an indicator of a change in OpenSearch Serverless environment, such as when you reach the maximum limit of your OCU usage. Amazon EventBridge receives the event and routes a notification to the AWS Management Console Notifications Center and your chosen delivery channels. You receive a notification when an event matches a rule that you specify.
## OpenSearch Compute Units (OCU) events
OpenSearch Serverless sends events to EventBridge when one of the following OCU-related events occur.
### OCU usage approaching maximum limit
OpenSearch Serverless sends this event when your search or index OCU usage reaches 75% of your capacity limit. Your OCU usage is calculated based on your configured capacity limit and your current OCU consumption.
**Example**
The following is an example event of this type (search OCU):
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "OCU Utilization Approaching Max Limit",
"source": "aws.aoss",
"account": "123456789012",
"time": "2016-11-01T13:12:22Z",
"region": "us-east-1",
"resources": ["arn:aws:es:us-east-1:123456789012:domain/test-domain"],
"detail": {
"eventTime" : 1678943345789,
"description": "Your search OCU usage is at 75% and is approaching the configured maximum limit."
}
}
```
The following is an example event of this type (index OCU):
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "OCU Utilization Approaching Max Limit",
"source": "aws.aoss",
"account": "123456789012",
"time": "2016-11-01T13:12:22Z",
"region": "us-east-1",
"resources": ["arn:aws:es:us-east-1:123456789012:domain/test-domain"],
"detail": {
"eventTime" : 1678943345789,
"description": "Your indexing OCU usage is at 75% and is approaching the configured maximum limit."
}
```
### OCU usage reached maximum limit
OpenSearch Serverless sends this event when your search or index OCU usage reaches 100% of your capacity limit. Your OCU usage is calculated based on your configured capacity limit and your current OCU consumption.
**Example**
The following is an example event of this type (search OCU):
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "OCU Utilization Reached Max Limit",
"source": "aws.aoss",
"account": "123456789012",
"time": "2016-11-01T13:12:22Z",
"region": "us-east-1",
"resources": ["arn:aws:es:us-east-1:123456789012:domain/test-domain"],
"detail": {
"eventTime" : 1678943345789,
"description": "Your search OCU usage has reached the configured maximum limit."
}
}
```
The following is an example event of this type (index OCU):
```
{
"version": "0",
"id": "01234567-0123-0123-0123-012345678901",
"detail-type": "OCU Utilization Reached Max Limit",
"source": "aws.aoss",
"account": "123456789012",
"time": "2016-11-01T13:12:22Z",
"region": "us-east-1",
"resources": ["arn:aws:es:us-east-1:123456789012:domain/test-domain"],
"detail": {
"eventTime" : 1678943345789,
"description": "Your indexing OCU usage has reached the configured maximum limit."
}
}
```