forked from elastic/built-docs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlogging.html
386 lines (360 loc) · 21.1 KB
/
logging.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>Logging | Logstash Reference [7.1] | Elastic</title>
<meta class="elastic" name="content" content="Logging | Logstash Reference [7.1]">
<link rel="home" href="index.html" title="Logstash Reference [7.1]"/>
<link rel="up" href="setup-logstash.html" title="Setting Up and Running Logstash"/>
<link rel="prev" href="running-logstash-windows.html" title="Running Logstash on Windows"/>
<link rel="next" href="shutdown.html" title="Shutting Down Logstash"/>
<meta class="elastic" name="product_version" content="7.1"/>
<meta class="elastic" name="product_name" content="Logstash"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Logstash/Reference/7.1"/>
<meta name="DC.subject" content="Logstash"/>
<meta name="DC.identifier" content="7.1"/>
<meta name="robots" content="noindex,nofollow"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.optimizely.com/js/18132920325.js"></script>
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/manifest.json">
<meta name="apple-mobile-web-app-title" content="Elastic">
<meta name="application-name" content="Elastic">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<meta name="theme-color" content="#ffffff">
<meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
<meta name="yandex-verification" content="d8a47e95d0972434" />
<meta name="localized" content="true" />
<meta name="st:robots" content="follow,index" />
<meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
<meta property="og:image:width" content="500" />
<meta property="og:image:height" content="172" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
<link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
<link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
<!-- Give IE8 a fighting chance -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="/guide/static/styles.css" />
</head>
<!--© 2015-2022 Elasticsearch B.V. -->
<!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
<!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->
<body>
<!-- Google Tag Manager -->
<script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
<!-- End Google Tag Manager -->
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-12395217-16');
</script>
<!-- Google Tag Manager for GA4 -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager for GA4-->
<div id='elastic-nav' style="display:none;"></div>
<script src='https://www.elastic.co/elastic-nav.js'></script>
<div class="main-container">
<section id="content" >
<div class="content-wrapper">
<section id="guide" lang="en">
<div class="container-fluid">
<div class="row pb-3">
<div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
<!-- The TOC is appended here -->
</div>
<div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
<!-- start body -->
<div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Logstash Reference [7.1]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="setup-logstash.html">Setting Up and Running Logstash</a></span>
</div>
<div class="navheader">
<span class="prev">
<a href="running-logstash-windows.html">« Running Logstash on Windows</a>
</span>
<span class="next">
<a href="shutdown.html">Shutting Down Logstash »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title"><a id="logging"></a>Logging<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h2>
</div></div></div>
<p>Logstash emits internal logs during its operation, which are placed in <code class="literal">LS_HOME/logs</code> (or <code class="literal">/var/log/logstash</code> for
DEB/RPM). The default logging level is <code class="literal">INFO</code>. Logstash’s logging framework is based on
<a href="http://logging.apache.org/log4j/2.x/" class="ulink" target="_top">Log4j 2 framework</a>, and much of its functionality is exposed directly to users.</p>
<p>You can configure logging for a particular subsystem, module, or plugin.</p>
<p>When you need to debug problems, particularly problems with plugins, consider
increasing the logging level to <code class="literal">DEBUG</code> to get more verbose messages. For
example, if you are debugging issues with Elasticsearch Output, you can increase
log levels just for that component. This approach reduces noise from
excessive logging and helps you focus on the problem area.</p>
<p>You can configure logging using the <code class="literal">log4j2.properties</code> file or the Logstash API.</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong><code class="literal">log4j2.properties</code> file.</strong></span> Changes made through the <code class="literal">log4j2.properties</code>
file require you to restart Logstash for the changes to take effect. Changes <span class="strong strong"><strong>persist</strong></span>
through subsequent restarts.
</li>
<li class="listitem">
<span class="strong strong"><strong>Logging API.</strong></span> Changes made through the Logging API are effective immediately
without a restart. The changes <span class="strong strong"><strong>do not persist</strong></span> after Logstash
is restarted.
</li>
</ul>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="log4j2"></a>Log4j2 configuration<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h3>
</div></div></div>
<p>Logstash ships with a <code class="literal">log4j2.properties</code> file with out-of-the-box settings. You
can modify this file to change the rotation policy, type, and other
<a href="https://logging.apache.org/log4j/2.x/manual/configuration.html#Loggers" class="ulink" target="_top">log4j2
configuration</a>.</p>
<p>You must restart Logstash to apply any changes that you make to
this file.
Changes to <code class="literal">log4j2.properties</code> persist after Logstash is restarted.</p>
<p>Here’s an example using <code class="literal">outputs.elasticsearch</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">logger.elasticsearchoutput.name = logstash.outputs.elasticsearch
logger.elasticsearchoutput.level = debug</pre>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_logging_apis"></a>Logging APIs<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h3>
</div></div></div>
<p>For temporary logging changes, modifying the <code class="literal">log4j2.properties</code> file and restarting Logstash leads to unnecessary
downtime. Instead, you can dynamically update logging levels through the logging API. These settings are effective
immediately and do not need a restart.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>By default, the logging API attempts to bind to <code class="literal">tcp:9600</code>. If this port is already in use by another Logstash
instance, you need to launch Logstash with the <code class="literal">--http.port</code> flag specified to bind to a different port. See
<a class="xref" href="running-logstash-command-line.html#command-line-flags" title="Command-Line Flags">Command-Line Flags</a> for more information.</p>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h4 class="title"><a id="_retrieve_list_of_logging_configurations"></a>Retrieve list of logging configurations<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h4>
</div></div></div>
<p>To retrieve a list of logging subsystems available at runtime, you can do a <code class="literal">GET</code> request to <code class="literal">_node/logging</code></p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">curl -XGET 'localhost:9600/_node/logging?pretty'</pre>
</div>
<p>Example response:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">{
...
"loggers" : {
"logstash.agent" : "INFO",
"logstash.api.service" : "INFO",
"logstash.basepipeline" : "INFO",
"logstash.codecs.plain" : "INFO",
"logstash.codecs.rubydebug" : "INFO",
"logstash.filters.grok" : "INFO",
"logstash.inputs.beats" : "INFO",
"logstash.instrument.periodicpoller.jvm" : "INFO",
"logstash.instrument.periodicpoller.os" : "INFO",
"logstash.instrument.periodicpoller.persistentqueue" : "INFO",
"logstash.outputs.stdout" : "INFO",
"logstash.pipeline" : "INFO",
"logstash.plugins.registry" : "INFO",
"logstash.runner" : "INFO",
"logstash.shutdownwatcher" : "INFO",
"org.logstash.Event" : "INFO",
"slowlog.logstash.codecs.plain" : "TRACE",
"slowlog.logstash.codecs.rubydebug" : "TRACE",
"slowlog.logstash.filters.grok" : "TRACE",
"slowlog.logstash.inputs.beats" : "TRACE",
"slowlog.logstash.outputs.stdout" : "TRACE"
}
}</pre>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h4 class="title"><a id="_update_logging_levels"></a>Update logging levels<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h4>
</div></div></div>
<p>Prepend the name of the subsystem, module, or plugin with <code class="literal">logger.</code>.</p>
<p>Here is an example using <code class="literal">outputs.elasticsearch</code>:</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">curl -XPUT 'localhost:9600/_node/logging?pretty' -H 'Content-Type: application/json' -d'
{
"logger.logstash.outputs.elasticsearch" : "DEBUG"
}
'</pre>
</div>
<p>While this setting is in effect, Logstash emits DEBUG-level logs for <em>all</em> the Elasticsearch outputs
specified in your configuration. Please note this new setting is transient and will not survive a restart.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you want logging changes to persist after a restart, add them to <code class="literal">log4j2.properties</code> instead.</p>
</div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h4 class="title"><a id="_reset_dynamic_logging_levels"></a>Reset dynamic logging levels<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h4>
</div></div></div>
<p>To reset any logging levels that may have been dynamically changed via the logging API, send a <code class="literal">PUT</code> request to
<code class="literal">_node/logging/reset</code>. All logging levels will revert to the values specified in the <code class="literal">log4j2.properties</code> file.</p>
<div class="pre_wrapper lang-js">
<pre class="programlisting prettyprint lang-js">curl -XPUT 'localhost:9600/_node/logging/reset?pretty'</pre>
</div>
</div>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_log_file_location"></a>Log file location<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h3>
</div></div></div>
<p>You can specify the log file location using <code class="literal">--path.logs</code> setting.</p>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title"><a id="_slowlog"></a>Slowlog<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h3>
</div></div></div>
<p>Slowlog for Logstash adds the ability to log when a specific event takes an abnormal amount of time to make its way
through the pipeline. Just like the normal application log, you can find slowlogs in your <code class="literal">--path.logs</code> directory.
Slowlog is configured in the <code class="literal">logstash.yml</code> settings file with the following options:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">slowlog.threshold.warn (default: -1)
slowlog.threshold.info (default: -1)
slowlog.threshold.debug (default: -1)
slowlog.threshold.trace (default: -1)</pre>
</div>
<p>Slowlog is disabled by default. The default threshold values are set to
<code class="literal">-1nanos</code> to represent an infinite threshold. No slowlog will be invoked.</p>
<div class="section">
<div class="titlepage"><div><div>
<h4 class="title"><a id="_enable_slowlog"></a>Enable slowlog<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/logstash/edit/7.1/docs/static/logging.asciidoc">edit</a></h4>
</div></div></div>
<p>The <code class="literal">slowlog.threshold</code> fields use a time-value format which enables a wide
range of trigger intervals. You can specify ranges using the following time
units: <code class="literal">nanos</code> (nanoseconds), <code class="literal">micros</code> (microseconds), <code class="literal">ms</code> (milliseconds), <code class="literal">s</code>
(second), <code class="literal">m</code> (minute), <code class="literal">h</code> (hour), <code class="literal">d</code> (day).</p>
<p>Slowlog becomes more sensitive and logs more events as you raise the log level.</p>
<p>Example:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">slowlog.threshold.warn: 2s
slowlog.threshold.info: 1s
slowlog.threshold.debug: 500ms
slowlog.threshold.trace: 100ms</pre>
</div>
<p>In this example:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If the log level is set to <code class="literal">warn</code>, the log shows events that took longer than 2 seconds to process.
</li>
<li class="listitem">
If the log level is set to <code class="literal">info</code>, the log shows events that took longer than 1s to process.
</li>
<li class="listitem">
If the log level is set to <code class="literal">trace</code>, the log shows events that took longer than 100ms to process.
</li>
<li class="listitem">
If the log level is set to <code class="literal">debug</code>, the log shows events that took longer than 500ms to process.
</li>
</ul>
</div>
<p>The logs include the full event and filter configuration that are responsible
for the slowness.</p>
</div>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="running-logstash-windows.html">« Running Logstash on Windows</a>
</span>
<span class="next">
<a href="shutdown.html">Shutting Down Logstash »</a>
</span>
</div>
</div>
<!-- end body -->
</div>
<div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
<div id="sticky_content">
<!-- The OTP is appended here -->
<div class="row">
<div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
<div class="col-12 col-md-8 col-lg-12">
<div id="rtpcontainer">
<div class="mktg-promo" id="most-popular">
<p class="aside-heading">Most Popular</p>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&elektra=docs&storm=top-video">
<p class="mb-0">Get Started with Elasticsearch</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&elektra=docs&storm=top-video">
<p class="mb-0">Intro to Kibana</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&elektra=docs&storm=top-video">
<p class="mb-0">ELK for Logs & Metrics</p>
</a>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->
</section>
</div>
<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
window.initial_state = {}</script>
</body>
</html>