All Products
Search
Document Center

Elasticsearch:Query logs

Last Updated:Jun 23, 2026

Alibaba Cloud Elasticsearch provides a log query feature that allows you to search for logs by keyword and time range. This helps you quickly pinpoint cluster issues and simplifies operations and maintenance. This topic describes how to query logs and explains the available log types.

Limitations

  • Access Log: This feature is available only for Elasticsearch instances running version 6.7.0 (with minor engine version ≥ 1.0.2) or version 7.10 or later.

  • Audit Log: You can view audit logs in the console only for instances running version 7.x or later in the following regions.

    Country or region

    Region

    China

    China (Beijing), China (Hangzhou), China (Shanghai), China (Zhangjiakou)

    Asia Pacific

    Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Japan (Tokyo)

    Europe and Americas

    US (Virginia), US (Silicon Valley), Germany (Frankfurt), UK (London)

Procedure

  1. Log on to the Alibaba Cloud Elasticsearch console.

  2. In the left navigation menu, choose Elasticsearch Clusters.

  3. Navigate to the target cluster.

    1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.

    2. On the Elasticsearch Clusters page, find the cluster and click its ID.

  4. In the left-side navigation pane, click Logs to view the cluster's runtime logs.

    Alibaba Cloud Elasticsearch supports the following log types: main log, searching slow log, indexing slow log, GC log, ES access log and audit log. The following table describes these log types and their use cases. For more information, see Log details.

    Log type

    Description

    Use cases

    Cluster Log

    Records the health status of a cluster and logs for index queries and writes. For example, write logs include events such as index creation, mapping updates, and write queue overloads. Query logs include events such as query queue status and query exceptions.

    Use the main log to check the runtime status of nodes, query and write activities, node connectivity, Full GC events, index creation or deletion, and cluster-level query errors.

    Important

    If an issue occurs on the client side, first check the main log and Cluster Monitoring to rule out performance bottlenecks or configuration problems in the cluster.

    Search Slow Log

    Records slow queries. When a query's execution time exceeds a specified threshold, its information is logged. The slow query threshold is pre-configured in the index template of the Scenario-specific Configuration Template with optimal default values. You only need to apply the template. For more information, see Index template configuration.

    If queries take longer than expected, check the searching slow log to investigate.

    Slow queries consume more cluster resources. If you notice a large number of slow logs, check the cluster resources and load to identify bottlenecks. Then expand the corresponding resources or use the aliyun-qos plugin to apply rate limiting and ensure cluster stability.

    Indexing Slow Log

    Records slow write operations. When a write operation's execution time exceeds a specified threshold, its information is logged. The slow write threshold is pre-configured in the index template of the Scenario-specific Configuration Template with optimal default values. You only need to apply the template. For more information, see Index template configuration.

    If write operations take longer than expected, check the indexing slow log to investigate.

    Slow write operations consume more cluster resources. If you notice a large number of slow logs, check the cluster resources and load to identify bottlenecks. Then expand the corresponding resources or use the aliyun-qos plugin to apply rate limiting and ensure cluster stability.

    GC Log

    Records garbage collection events triggered by JVM heap memory usage. The GC log provides detailed information about various collection mechanisms, including Old GC, CMS GC, Full GC, and Minor GC.

    When a cluster experiences performance bottlenecks, check the GC log for detailed collection information and long-running or frequent GC events. If such events exist, expand cluster resources or use the aliyun-qos plugin to apply rate limiting and ensure cluster stability.

    Important

    By default, Alibaba Cloud Elasticsearch clusters use the CMS garbage collector. For data nodes with 32 GB or more of memory, use the G1 garbage collector to improve GC efficiency. For more information, see Configure a garbage collector.

    Access Log

    Records access logs for a cluster. These logs show details of restSearchAction-related requests received by the Elasticsearch cluster, including the URI, body size, and request time.

    Important
    • You can view the Access Log in the console only for instances running version 6.7.0 (with minor engine version ≥ 1.0.2) or version 7.10 or later.

    • The ES access log does not support logging for the following query types: SQL queries, multi-search queries, scroll queries, and queries triggered by some Kibana visualization tools.

    • To obtain more comprehensive information about query and write requests, enable audit logs. For more information, see Configure an audit log collector.

    Use the Access Log to identify which clients are sending query requests to the Elasticsearch cluster.

    Audit Log

    Records security-related events in an Elasticsearch instance based on the X-Pack Security audit feature. It logs events such as create, delete, update, and query operations, as well as user authentication successes, failures, and permission changes.

    Important
    • You can view audit logs in the console only for instances that run version 7.x or later in the regions listed in Limitations. For other instances, you need to enable audit logs in the YML configuration. Once enabled, audit logs are written to an index in the current Elasticsearch cluster. You can view the audit logs by querying indices that start with .security_audit_log-* in the Kibana console. For more information, see Configure YML parameters.

    • To view audit logs in the console, you must first enable audit log collection by clicking Log Configuration.

    • By default, the following event types are collected: access_denied, anonymous_access_denied, authentication_failed, connection_denied, tampered_request, run_as_denied, run_as_granted. To change the collected event types, modify the xpack.security.audit.logfile.events.include parameter in the cluster's YML file. For more information, see Configure an audit log collector.

    Use audit logs to review user authentication successes and failures, troubleshoot authentication failures and connection denials, monitor data access events, or investigate suspicious activities such as changes to data access authorizations and user security configurations.

  5. On the log page, enter your query conditions in the search box, select a start and end time, and click Search.

    Alibaba Cloud Elasticsearch returns and displays log results on the log query page based on your query.

    • You can query logs from the last seven consecutive days. By default, logs are displayed in reverse chronological order.

    • The query syntax is based on Lucene. For more information, see Query string syntax.

    • The AND operator in your query must be in uppercase.

    • If you do not specify an end time, it defaults to the current time. If you do not specify a start time, it defaults to one hour before the end time.

    For example, to query main logs where content contains the keyword health, level is info, and host is 172.16.xx.xx, use the following query: host:172.16.xx.xx AND content:health AND level:info.

    Important
    • A maximum of 10,000 log entries can be returned per query.

      If the 10,000 returned entries do not contain the information you need, narrow the time range of your query.

    • A single log entry can display a maximum of 10,000 characters.

Log details

Main log

The main log shows the runtime logs of the cluster, including the generation time, the source node's IP address, and the log content.ES日志查询结果

Parameter

Description

Time

The time when the log was generated.

Node IP Address

The IP address of the node that generated the log.

Content

The log details, which primarily consist of level, host, time, and content:

  • level: The log level, such as trace, debug, info, warn, or error.

    Note

    A GC log does not have a level field.

  • host: The IP address of the node that generated the log.

  • time: The time when the log was generated.

  • content: The main content of the log.

Slow log

Slow logs are enabled by default and show logs for indexing (indexing slow log) and query (searching slow log) operations that exceed a specified time threshold. Query these logs to analyze issues such as uneven cluster load, read/write exceptions, and slow data processing.

By default, the slow log of Alibaba Cloud Elasticsearch records read and write operations that take 5 to 10 seconds, a threshold that may be too high for effective troubleshooting. After creating an instance, you can use one of the following methods to reduce the logging threshold and capture more log data:

  • After a cluster is created, the Scenario-specific Configuration Template is enabled by default and automatically applied to the cluster. The Index template configuration within it defines the slow log settings. The default slow log configuration for the general-purpose scenario is as follows:

      "settings": {    "index": {      "search": {        "slowlog": {          "level": "info",          "threshold": {            "fetch": {              "warn": "200ms",              "trace": "50ms",              "debug": "80ms",              "info": "100ms"            },            "query": {              "warn": "500ms",              "trace": "50ms",              "debug": "100ms",              "info": "200ms"            }          }        }      },      "refresh_interval": "10s",      "unassigned": {        "node_left": {          "delayed_timeout": "5m"        }      },      "indexing": {        "slowlog": {          "level": "info",          "threshold": {            "index": {              "warn": "200ms",              "trace": "20ms",              "debug": "50ms",              "info": "100ms"            }          },          "source": "1000"        }      }    }  }
    Note

    If the Scenario is None, you must enable and submit the template configuration to apply the default slow log settings to the cluster. For more information, see Modify a scenario-specific configuration template.

  • Log on to the instance's Kibana console and run the following command to modify the slow log configuration. For more information, see Log on to the Kibana console.

    PUT _settings{    "index.indexing.slowlog.threshold.index.warn" : "200ms",    "index.indexing.slowlog.threshold.index.trace" : "20ms",    "index.indexing.slowlog.threshold.index.debug" : "50ms",    "index.indexing.slowlog.threshold.index.info" : "100ms",    "index.search.slowlog.threshold.fetch.warn" : "200ms",    "index.search.slowlog.threshold.fetch.trace" : "50ms",    "index.search.slowlog.threshold.fetch.debug" : "80ms",    "index.search.slowlog.threshold.fetch.info" : "100ms",    "index.search.slowlog.threshold.query.warn" : "500ms",    "index.search.slowlog.threshold.query.trace" : "50ms",    "index.search.slowlog.threshold.query.debug" : "100ms",    "index.search.slowlog.threshold.query.info" : "200ms"}

After you make this change, logs for read or write tasks that exceed the configured threshold will appear in the Slow Log tab.慢日志

GC log

The GC log is enabled by default and contains the generation time, the source node's IP address, and the log content. For more information, see Main log.GC日志

ES access log

The access log shows detailed information about restSearchAction-related requests received by the Elasticsearch cluster, including the cluster node and IP address, body size, request content, request time, client IP address, and URI.

Important
  • You can view the Access Log in the console only for instances running version 6.7.0 (with minor engine version ≥ 1.0.2) or version 7.10 or later.

  • To obtain more comprehensive information about query and write requests, enable audit logs. For more information, see Configure an audit log collector.

ES访问日志

Audit log

Important

You can view audit logs in the console only for instances that run version 7.x or later in the regions listed in Limitations.

Based on the X-Pack Security audit feature, the audit log records security-related events in your Elasticsearch cluster, including user authentication successes and failures, permission changes, data access authorizations, and create, delete, update, and query operations. Audit logs let you track user authentication records and operational behavior within the cluster. This feature is disabled by default. Follow these steps to enable and view audit logs:

  1. On the Logs page, click Log Configuration on the right.

  2. In the Log Configuration dialog box, turn on the Audit Log Collection switch.

    Important
    • After you enable Audit Log Collection, you can query the audit logs for the cluster on the current page. To change the collected event types, go to the cluster configuration and modify the xpack.security.audit.logfile.events.include parameter. For more information, see Configure an audit log collector.

    • Enabling or disabling Audit Log Collection triggers a cluster restart. Alibaba Cloud Elasticsearch uses a rolling restart. The cluster remains available during the restart if it is in a green state, every index has at least one replica, and resource utilization is not excessive. However, we recommend performing this operation during off-peak hours.

  3. Read the prompt and click OK.

    The cluster restarts after you confirm. You can view the progress in the Task List. After the cluster restarts, audit log collection is enabled.

    Important

    Audit log data consumes disk space and can affect performance. If you no longer need to view audit logs, you can use the same method to disable the Audit Log Collection feature.

  4. On the Logs page, click the Audit Log tab to view the audit logs.

    审计日志

References

ListSearchLog

FAQ