Using Kibana server logsedit

Kibana Logs is a great way to see what’s going on in your application and to debug performance issues. Navigating through a large number of generated logs can be overwhelming, and following are some techniques that you can use to optimize the process.

Start by defining a problem area that you are interested in. For example, you might be interested in seeing how a particular Kibana Plugin is performing, so no need to gather logs for all of Kibana. Or you might want to focus on a particular feature, such as requests from the Kibana server to the Elasticsearch server. Depending on your needs, you can configure Kibana to generate logs for a specific feature.

logging:
  appenders:
    file:
      type: file
      fileName: ./kibana.log
      layout:
        type: json

### gather all the Kibana logs into a file
logging.root:
    appenders: [file]
    level: all

### or gather a subset of the logs
logging.loggers:
  ### responses to an HTTP request
  - name: http.server.response
    level: debug
    appenders: [file]
  ### result of a query to the Elasticsearch server
  - name: elasticsearch.query
    level: debug
    appenders: [file]
  ### logs generated by my plugin
  - name: plugins.myPlugin
    level: debug
    appenders: [file]

Kibana’s file appender is configured to produce logs in ECS JSON format. It’s the only format that includes the meta information necessary for log correlation out-of-the-box.

The next step is to define what observability tools are available. For a better experience, set up an Observability integration provided by Elastic to debug your application with the APM UI. To debug something quickly without setting up additional tooling, you can work with the plain Kibana logs.

APM UIedit

Prerequisites Kibana logs are configured to be in ECS JSON format to include tracing identifiers.

To debug Kibana with the APM UI, you must set up the APM infrastructure. You can find instructions for the setup process on the Observability integrations page.

Once you set up the APM infrastructure, you can enable the APM agent and put Kibana under load to collect APM events. To analyze the collected metrics and logs, use the APM UI as demonstrated in the docs.

Plain Kibana logsedit

Prerequisites Kibana logs are configured to be in ECS JSON format to include tracing identifiers.

Open Kibana Logs and search for an operation you are interested in. For example, suppose you want to investigate the response times for queries to the /internal/telemetry/clusters/_stats Kibana endpoint. Open Kibana Logs and search for the HTTP server response for the endpoint. It looks similar to the following (some fields are omitted for brevity).

{
  "message":"POST /internal/telemetry/clusters/_stats 200 1014ms - 43.2KB",
  "log":{"level":"DEBUG","logger":"http.server.response"},
  "trace":{"id":"9b99131a6f66587971ef085ef97dfd07"},
  "transaction":{"id":"d0c5bbf14f5febca"}
}

You are interested in the trace.id field, which is a unique identifier of a trace. The trace.id provides a way to group multiple events, like transactions, which belong together. You can search for "trace":{"id":"9b99131a6f66587971ef085ef97dfd07"} to get all the logs that belong to the same trace. This enables you to see how many Elasticsearch requests were triggered during the 9b99131a6f66587971ef085ef97dfd07 trace, what they looked like, what Elasticsearch endpoints were hit, and so on.