Alibaba Cloud Elasticsearch allows you to specify a keyword and a time range in the Elasticsearch console to query specific logs of your Elasticsearch cluster. You can use the logs to identify cluster issues and perform cluster O&M in an efficient manner. This topic describes how to query logs and describes common types of logs.
Limits
- You can view the access logs only of Elasticsearch V6.7.0 and V7.10 clusters in the Elasticsearch console.
- You can view the audit logs only of Elasticsearch V7.X clusters that reside in the following regions in the Elasticsearch
console.
Country or district Region China China (Beijing), China (Hangzhou), China (Shanghai), and China (Zhangjiakou) Asia Pacific Singapore (Singapore), Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), India (Mumbai), and Japan (Tokyo) Europe & Americas US (Virginia), US (Silicon Valley), Germany (Frankfurt), and UK (London)
Procedure
Common types of logs
Cluster logs

Parameter | Description |
---|---|
Time | The time when the log is generated. |
Node IP | The IP address of the node that generates the log. |
Content | The details about the log. The following fields are contained:
|
Slow logs
Slow logs include slow search logs and slow indexing logs. If the time that is required to complete a read or write operation exceeds a specific threshold, a slow log is generated for the operation. The Search Slow Log tab displays slow search logs, and the Indexing Slow Log tab displays slow indexing logs. By default, slow log collection is enabled. If unbalanced loads, read or write exceptions, or slow data processing issues occur on your cluster, you can troubleshoot issues based on the slow logs.
- Use scenario-based templates. After a cluster is created, scenario-based templates
are enabled and applied to the cluster. The index template defines the configurations of slow logs. We recommend that you retain the default
configurations. The following code shows the default configurations of slow logs in
the General scenario:
"settings": { "index": { "search": { "slowlog": { "level": "info", "threshold": { "fetch": { "warn": "200ms", "trace": "50ms", "debug": "80ms", "info": "100ms" }, "query": { "warn": "500ms", "trace": "50ms", "debug": "100ms", "info": "200ms" } } } }, "refresh_interval": "10s", "unassigned": { "node_left": { "delayed_timeout": "5m" } }, "indexing": { "slowlog": { "level": "info", "threshold": { "index": { "warn": "200ms", "trace": "20ms", "debug": "50ms", "info": "100ms" } }, "source": "1000" } } } }
Note If the value of the Scenario parameter is None in the Scenario-based Configuration section of the Cluster Configuration page, you can configure the parameter based on your business requirements. Then, submit the templates to apply the default configurations of slow logs to the cluster. For more information, see Use a scenario-based template to modify the configurations of a cluster. - Log on to the Kibana console of the cluster and run the following command to modify the configurations of slow logs:
PUT _settings { "index.indexing.slowlog.threshold.index.warn" : "200ms", "index.indexing.slowlog.threshold.index.trace" : "20ms", "index.indexing.slowlog.threshold.index.debug" : "50ms", "index.indexing.slowlog.threshold.index.info" : "100ms", "index.search.slowlog.threshold.fetch.warn" : "200ms", "index.search.slowlog.threshold.fetch.trace" : "50ms", "index.search.slowlog.threshold.fetch.debug" : "80ms", "index.search.slowlog.threshold.fetch.info" : "100ms", "index.search.slowlog.threshold.query.warn" : "500ms", "index.search.slowlog.threshold.query.trace" : "50ms", "index.search.slowlog.threshold.query.debug" : "100ms", "index.search.slowlog.threshold.query.info" : "200ms" }

GC logs

Access logs

Audit logs
The Audit Log tab displays the audit logs generated for operations that are performed on an Elasticsearch cluster, such as the create, delete, modify, and query operations. By default, audit log collection is disabled. To enable audit log collection and view audit logs, perform the following steps:
References
FAQ
- Can I specify a retention period for the .security indexes of an Elasticsearch cluster?
- How do I view the logs that are generated over the last seven days?
- I cannot view the search and update logs of an Elasticsearch cluster. What do I do?
- How do I configure and view the slow logs of an Elasticsearch cluster?
- How do I obtain the slow logs of an Elasticsearch cluster on a regular basis?