Set up logging

edit

The logging section of the auditbeat.yml config file contains options for configuring the Beats logging output. The logging system can write logs to the syslog or rotate log files. If logging is not explicitly configured, file output is used on Windows systems, and syslog output is used on Linux and OS X.

logging.level: warning
logging.to_files: true
logging.to_syslog: false
logging.files:
  path: /var/log/mybeat
  name: mybeat.log
  keepfiles: 7
  permissions: 0644

In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See Auditbeat commands.

Configuration options

edit

You can specify the following options in the logging section of the auditbeat.yml config file:

logging.to_syslog

edit

When true, writes all logging output to the syslog.

logging.to_files

edit

When true, writes all logging output to files. The log files are automatically rotated when the log file size limit is reached.

Auditbeat only creates a log file if there is logging output. For example, if you set the log level to error and there are no errors, there will be no log file in the directory specified for logs.

logging.level

edit

Minimum log level. One of debug, info, warning, error, or critical. The default log level is info.

debug
Logs debug messages, including a detailed printout of all events flushed by the Beat. Also logs informational messages, warnings, errors, and critical errors. When the log level is debug, you can specify a list of selectors to display debug messages for specific components. If no selectors are specified, the * selector is used to display debug messages for all components.
info
Logs informational messages, including the number of events that are published. Also logs any warnings, errors, or critical errors.
warning
Logs warnings, errors, and critical errors.
error
Logs errors and critical errors.
critical
Logs critical errors only.

logging.selectors

edit

The list of debugging-only selector tags used by different Beats components. Use * to enable debug output for all components. For example add publish to display all the debug messages related to event publishing. When starting the Beat, selectors can be overwritten using the -d command line option (-d also sets the debug log level).

logging.metrics.enabled

edit

If enabled, Auditbeat periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all non-zero internal metrics are logged on shutdown. The default is true.

Here is an example log line:

2016/07/04 12:16:10.821047 logp.go:194: INFO Non-zero metrics in the last 30s:  libbeatEsPublishedAndAckedEvents=18 libbeatEsPublishWriteBytes=10045

Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented.

logging.metrics.period

edit

The period after which to log the internal metrics. The default is 30s.

logging.files.path

edit

The directory that log files are written to. The default is the logs path. See the Directory layout section for details.

logging.files.name

edit

The name of the file that logs are written to. By default, the name of the Beat is used.

logging.files.rotateeverybytes

edit

The maximum size of a log file. If the limit is reached, a new log file is generated. The default size limit is 10485760 (10 MB).

logging.files.keepfiles

edit

The number of most recent rotated log files to keep on disk. Older files are deleted during log rotation. The default value is 7. The keepfiles options has to be in the range of 2 to 1024 files.

logging.files.permissions

edit

The permissions mask to apply when rotating log files. The default value is 0600. The permissions option must be a valid Unix-style file permissions mask expressed in octal notation. In Go, numbers in octal notation must start with 0.

Examples:

  • 0644: give read and write access to the file owner, and read access to all others.
  • 0600: give read and write access to the file owner, and no access to all others.
  • 0664: give read and write access to the file owner and members of the group associated with the file, as well as read access to all other users.

logging.json

edit

When true, logs messages in JSON format. The default is false.

Logging format

edit

The logging format is different for each logging type:

  • to syslog: Syslog adds the timestamp itself.
  • to file: RFC 3339 format is used for the timestamp: 2006-01-02T15:04:05Z07:00 WARN log-message. The format includes the timezone followed by the logging level.
  • to stderr: UTC format is used for the timestamp: 2015/11/12 09:03:37.369262 geolite.go:52: WARN log-message. The format includes the UTC timestamp with the milliseconds, then the name of the caller that sent the log entry followed by the logging level. This option should be used mainly for debugging.