To customize the logging format and behavior for ES 2.3.3, update its configuration file: /etc/elasticsearch/logging.yml
In its default location, logging has the needed ownership. Choose a separate, dedicated partition of ample size to move the log directory and make the
elasticsearch
user the owner of that directory:chown -R elasticsearch:elasticsearch <path_to_log_directory>
Best practice - For better archiving and compression than the built-in log4j, turn off the rotation of log4j and use logrotate.
Edit the
logging.yml
to limit the amount of space consumed by Elasticsearch log files in the event of an extremely high rate of error logging.
Locate thefile:
section and make these changes:Beforefile: type: dailyRollingFile file: ${path.logs}/${cluster.name}.log datePattern: "'.'yyyy-MM-dd" ...
Afterfile: type: rollingFile # change from dailyRollingFile maxBackupIndex: 0 maxFileSize: 1000000000 # 1 GB file: ${path.logs}/${cluster.name}.log # datePattern: "'.'yyyy-MM-dd" # remove ...
Repeat for the deprecation and slowlog log files, as appropriate:
deprecation_log_file: type: rollingFile file: ${path.logs}/${cluster.name}_deprecation.log layout: type: pattern conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" maxBackupIndex: 0 maxFileSize: 1000000000 # (1GB) index_search_slow_log_file: type: rollingFile file: ${path.logs}/${cluster.name}_index_search_slowlog.log layout: type: pattern conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" maxBackupIndex: 0 maxFileSize: 1000000000 # (1GB) index_indexing_slow_log_file: type: rollingFile file: ${path.logs}/${cluster.name}_index_indexing_slowlog.log layout: type: pattern conversionPattern: "[%d{ISO8601}][%-5p][%-25c] %m%n" maxBackupIndex: 0 maxFileSize: 1000000000 # (1GB)