| applies_to |
|
|||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| products |
|
You can configure several types of logs in {{stack}} that can help you to gain insight into {{stack}} operations, diagnose issues, and track certain types of events.
The following logging features are available:
-
Application and component logging: Logs messages related to running {{es}}.
You can configure the log level for {{es}}, and, in self-managed clusters, configure underlying Log4j settings to customize logging behavior.
-
Query logging: Logs every search, {{esql}}, SQL or EQL query.
-
Deprecation logging: Deprecation logs record a message to the {{es}} log directory when you use deprecated {{es}} functionality. You can use the deprecation logs to update your application before upgrading {{es}} to a new major version.
-
Audit logging: Logs security-related events on your deployment.
-
Slow query and index logging: Helps find and debug slow queries and indexing.
-
Application and component logging: Logs messages related to running {{kib}}.
You can configure the log level for {{kib}}, and, in self-managed, ECE, or ECK deployments, configure advanced settings to customize logging behavior.
-
Audit logging: Logs security-related events on your deployment.
The way that you access your logs differs depending on your deployment method.
Access your logs using one of the following options:
- All orchestrated deployments:
- {{ech}}: Preconfigured logs and metrics
- {{ece}}: Platform monitoring
If you run {{kib}} as a service, the default location of the logs varies based on your platform and installation method:
:::::::{tab-set}
::::::{tab-item} Docker
On Docker, log messages go to the console and are handled by the configured Docker logging driver. To access logs, run docker logs.
::::::
::::::{tab-item} Debian (APT) and RPM
For Debian and RPM installations, {{es}} writes logs to /var/log/kibana.
::::::
::::::{tab-item} macOS and Linux
For macOS and Linux .tar.gz installations, {{es}} writes logs to $KIBANA_HOME/logs.
Files in $KIBANA_HOME risk deletion during an upgrade. In production, you should configure a different location for your logs.
::::::
::::::{tab-item} Windows .zip
For Windows .zip installations, {{es}} writes logs to %KIBANA_HOME%\logs.
Files in %KIBANA_HOME% risk deletion during an upgrade. In production, you should configure a different location for your logs.
::::::
:::::::
If you run {{kib}} from the command line, {{kib}} prints logs to the standard output (stdout).
You can also consume logs using stack monitoring.
If you run {{es}} as a service, the default location of the logs varies based on your platform and installation method:
:::::::{tab-set}
::::::{tab-item} Docker
On Docker, log messages go to the console and are handled by the configured Docker logging driver. To access logs, run docker logs.
::::::
::::::{tab-item} Debian (APT) and RPM
For Debian and RPM installations, {{es}} writes logs to /var/log/elasticsearch.
::::::
::::::{tab-item} macOS and Linux
For macOS and Linux .tar.gz installations, {{es}} writes logs to $ES_HOME/logs.
Files in $ES_HOME risk deletion during an upgrade. In production, we strongly recommend you set path.logs to a location outside of $ES_HOME. See Path settings.
::::::
::::::{tab-item} Windows .zip
For Windows .zip installations, {{es}} writes logs to %ES_HOME%\logs.
Files in %ES_HOME% risk deletion during an upgrade. In production, we strongly recommend you set path.logs to a location outside of %ES_HOME%. See Path settings.
::::::
:::::::
If you run {{es}} from the command line, {{es}} prints logs to the standard output (stdout).
You can also consume logs using stack monitoring.
You can also collect and index the following types of logs from other components in your deployments:
apm*.log*
fleet-server-json.log-*elastic-agent-json.log-*
The * indicates that we also index the archived files of each type of log.
In {{ech}} and {{ece}}, these types of logs are automatically ingested when stack monitoring is enabled.