OpenSearch acts as the central storage and anomaly detection engine of the entire log-analysis system.
All logs collected from the different services and applications are eventually sent to OpenSearch, where they are indexed, organized, and made searchable.

In OpenSearch, log data is stored in indices automatically created from an index template, which serves as a predefined blueprint for how the data should be structured. An index template defines the fields, their data types, and the index settings to apply whenever a new index matching a specific pattern is created—such as gateway-logs-* or ingestor-logs-*. This ensures that all incoming logs are consistently stored with the correct mappings and formats, enabling OpenSearch to index, search, and analyze the data efficiently.

OpenSearch provides built-in anomaly detection capabilities.
These detectors analyze log patterns over time and automatically identify unusual spikes or behaviors—such as sudden increases in error rates.

OpenSearch Dashboards is the visual interface for interacting with the log data stored in OpenSearch. It allows users to search, explore, and analyze logs . Through dashboards, you can filter logs by fields like @timestamp, level, or app_name, and create visualizations to track trends, spikes, or unusual behavior. The dashboard also provide access to Dev Tools, where index templates and anomaly detectors can be managed. In the system, OpenSearch Dashboards serves as the main user-facing interface, making it easy to monitor log streams, validate that Logstash is correctly indexing data, and inspect anomalies detected by the system.

Logstash acts as the data collector and processor in the system. Its primary responsibility is to monitor directories for new log files, read them, and transform the raw logs into a structured format that OpenSearch can understand. Each log entry is parsed, cleaned, and assigned fields like @timestamp, level, message, and app_name according to the parsing rules defined in the Logstash configuration.
Logstash is installed on the gateway in a container, fetching logs from streaming sources.

The Gateway-API serves as the AI engine that analyzes the anomalies generated by the system. It processes these anomalies and produces structured AI-generated insights report, including fields such as what happened, why it occurred, how to debug the issue, and related internal and external resources that can assist in resolving the problem.

The anomaly-bl service acts as the bridge between OpenSearch anomaly detection and the Gateway-API (used to analyse the anomaly results). It periodically triggers anomaly detection using the OpenSearch API over a specified time period, collects the resulting anomaly data, and sends it to the Gateway-API for AI-driven analysis. After each run, Anomaly-BL schedules the subsequent execution according to the defined interval, ensuring continuous monitoring and analysis. The Anomaly-Bl service saves the anomaly results with the AI report in the systems DB so that they will later be displayed for the user in the Admin Center.