Alibaba Cloud Elasticsearch allows you to specify a keyword and a time range in the Elasticsearch console to query specific logs of your Elasticsearch cluster. The logs help you identify cluster issues and perform cluster O&M in an efficient manner. This topic describes common types of logs and describes how to query logs.
Procedure
Common types of logs
Cluster logs

Parameter | Description |
---|---|
Time | The time when the log was generated. |
Node IP | The IP address of the node that generates the log. |
Content | The details about the log. This parameter contains the following fields:
|
Slow logs
Slow logs include slow query logs and slow indexing logs. If the time that is required to complete an indexing or query operation exceeds a specified time threshold, slow logs are generated. The Search Slow Log tab displays slow query logs, and the Indexing Slow Log tab displays slow indexing logs. By default, slow log collection is enabled. If unbalanced loads, read or write exceptions, or slow data processing issues occur on your cluster, you can troubleshoot issues based on the slow logs.
- Use scenario-based templates. After a cluster is created, scenario-based templates
are enabled and applied to the cluster. The index template defines the configurations of slow logs. We recommend that you retain the default
configurations. The following code shows the default configurations of slow logs in
the General scenario:
"settings": { "index": { "search": { "slowlog": { "level": "info", "threshold": { "fetch": { "warn": "200ms", "trace": "50ms", "debug": "80ms", "info": "100ms" }, "query": { "warn": "500ms", "trace": "50ms", "debug": "100ms", "info": "200ms" } } } }, "refresh_interval": "10s", "unassigned": { "node_left": { "delayed_timeout": "5m" } }, "indexing": { "slowlog": { "level": "info", "threshold": { "index": { "warn": "200ms", "trace": "20ms", "debug": "50ms", "info": "100ms" } }, "source": "1000" } } } }
Note If the value of the Scenario parameter is None in the Scenario-based Configuration section of the Cluster Configuration page, you can configure the parameter based on your business requirements. Then, submit the templates to apply the default configurations of slow logs to the cluster. For more information, see Use a scenario-based template to modify the configurations of a cluster. - Log on to the Kibana console of the cluster and run the following command to modify the configurations of slow logs.
PUT _settings { "index.indexing.slowlog.threshold.index.warn" : "200ms", "index.indexing.slowlog.threshold.index.trace" : "20ms", "index.indexing.slowlog.threshold.index.debug" : "50ms", "index.indexing.slowlog.threshold.index.info" : "100ms", "index.search.slowlog.threshold.fetch.warn" : "200ms", "index.search.slowlog.threshold.fetch.trace" : "50ms", "index.search.slowlog.threshold.fetch.debug" : "80ms", "index.search.slowlog.threshold.fetch.info" : "100ms", "index.search.slowlog.threshold.query.warn" : "500ms", "index.search.slowlog.threshold.query.trace" : "50ms", "index.search.slowlog.threshold.query.debug" : "100ms", "index.search.slowlog.threshold.query.info" : "200ms" }

GC logs

Access logs
Audit logs
The Audit Log tab displays the audit logs generated for operations that are performed on an Elasticsearch cluster, such as the create, delete, modify, and query operations. By default, audit log collection is disabled. To enable audit log collection and view audit logs, perform the following steps: