Configuring the Elasticsearch Log Appender (2022.1.0 and later)

Learn how to configure Elasticsearch logging using Log4j.

Note: Log4j 2.x requires Elasticsearch version 7.16.2.

Valid in Version: 2020.2.17 and later, 2022.1.0 and later

Overview
Elasticsearch Appender features
Elasticsearch Appender general configuration
Index naming and templates
JSON Template Layout
Default JSON Template
Deploying the Elasticsearch appender

Overview

Elasticsearch can be used as a repository for log data in the Akana product. In versions prior to 2020.2.16, the Akana SaaS platform used an in-house Elasticsearch Appender for Log4j 1.x. With the transition to Log4j 2.x, this legacy appender no longer works. Instead, the Akana product uses an off-the-shelf implementation that is hosted in a public GitHub repository: https://github.com/rfoltyns/log4j2-elasticsearch. The new implementation is more powerful, but also more complex to configure. The Akana platform provides defaults which should be sufficient in most cases; you can also customize the configuration from the templates provided.

The Layouts available in the core Log4j release do not work with the Elasticsearch Appender; only a simple JSON layout is supported. To compensate for this limitation, there is a new Akana Layout for Log4j 2.x, which encapsulates the off-the-shelf JSON Template Layout and makes it compatible with the Elasticsearch Appender.

Elasticsearch Appender features

The Elasticsearch Appender provides many features, including the following:

Asynchronous log delivery
Batch size and flush interval configuration
Failover (redirect failed batch to alternative target)
Index rollover (hourly, daily, and so on)
Index template configuration
Basic Authentication (XPack Security and Shield support)
HTTPS support (XPack Security and Shield support)
Failover with persistence and retry
Log overflow prevention with backoff policies
Optimized HTTP client

Elasticsearch Appender general configuration

Because it is feature-rich, the Appender provides many tuning parameters. The product ships with sensible defaults, but there are some important configuration parameters that might change on a per-installation basis.

Parameter	Type	Description
serverUris (ES_LOG_SERVER_URLS)	Comma-separated String	A set of Elasticsearch server URLs. Defaults to HTTP://localhost:9200.
connTimeout (ES_LOG_SERVER_CONNECT_TIMEOUT)	Integer	The server connection timeout in milliseconds. Default: 500
readTimeout (ES_LOG_SERVER_READ_TIMEOUT)	Integer	The read timeout in milliseconds. Default: 20000
maxTotalConnections (ES_LOG_SERVER_MAX_CONNECTIONS)	Integer	The maximum number of concurrent connections that will be opened to the server. Default: 8
auth.credentials.username (ES_LOG_SERVER_USERNAME)	String	The username for connecting to Elasticsearch.
auth.credentials.password (ES_LOG_SERVER_PASSWORD)	String	The password for connecting to Elasticsearch.

You can modify the default values in either of two ways:

At deployment time or runtime, using automation recipes. For information about the new recipe that deploys the necessary bundles and redirects logging to Elasticsearch, see Deploying the Elasticsearch appender below.
For general information on using automation recipes, see Automation Reference Guide.
In the Admin Console: In Configuration Properties, find the com.soa.log configuration categories. These Elasticsearch logging parameters all have this prefix: appender.elastic.batchDelivery.objectFactory.

Index naming and templates

There are two configuration parameters that allow fine-grained control of index names.

Parameter	Type	Description
indexName (ES_LOG_INDEX_NAME)	String	The base name for the index. The eventual index name will be a concatenation of the index name and pattern.
pattern (ES_LOG_INDEX_NAME_PATTERN)	String	A pattern to apply to the index name. This uses the Java Date formatting pattern strings. The pattern controls when the index names roll over. For example: If the pattern is yyyy-MM-dd, the index name rolls over every day. If the pattern is yyyy-MM-dd-HH, the index rolls over every hour.

Parameter

Type

Description

indexName (ES_LOG_INDEX_NAME)

String

The base name for the index. The eventual index name will be a concatenation of the index name and pattern.

pattern (ES_LOG_INDEX_NAME_PATTERN)

String

A pattern to apply to the index name. This uses the Java Date formatting pattern strings. The pattern controls when the index names roll over. For example:

If the pattern is yyyy-MM-dd, the index name rolls over every day.
If the pattern is yyyy-MM-dd-HH, the index rolls over every hour.

You can modify the default values in either of two ways:

At deployment time or runtime, using an automation recipe. For information about the recipe, see Deploying the Elasticsearch appender below.
For general information on using automation recipes, see Automation Reference Guide.
In the Admin Console: In Configuration Properties, find the com.soa.log configuration categories. These Elasticsearch logging parameters all have this prefix: appender.elastic.indexNameFormatter.

Index templates are specified using the indexTemplate.sourceString property. The source is an Elasticsearch mapping document. For more information, see https://www.elastic.co/guide/en/elasticsearch/reference/current/explicit-mapping.html.

JSON Template Layout

The Log4j JSON Template Layout (see https://logging.apache.org/log4j/2.x/manual/json-template-layout.html) is a highly customizable layout generator. The product embeds this layout generator in a new bundle that adapts it to the Elasticsearch Appender. Most configuration options remain the same between the Log4j template layout and the Akana template layout, with some simplifications. The new Layout name is AkanaTemplateLayout rather than JsonTemplateLayout.

The table below describes the configuration properties available in the new Layout.

Parameter	Type	Description
charset	Charset	Charset used for String encoding (defaults to UTF-8)
stackTraceEnabled	boolean	Toggles access to the stack traces (defaults to true)
eventTemplate	String	Inline JSON template for rendering LogEvents (has priority over eventTemplateUri)
eventTemplateUri	String	URI pointing to the JSON template for rendering LogEvents
eventTemplateAdditionalField	EventTemplateAdditionalField[]	Additional key-value pairs appended to the root of the event template
stackTraceElementTemplate	String	Inline JSON template for rendering StackTraceElements (has priority over stackTraceElementTemplateUri)
stackTraceElementTemplateUri	String	URI pointing to the JSON template for rendering StackTraceElements
maxStringLength	int	Truncate string values longer than the specified limit (defaults to 16384)

Default JSON Template

The template layout uses JSON documents to describe the format of log entries (events) and stack trace entries. Examples of different formats are available from the Log4j repository: see https://github.com/apache/logging-log4j2/tree/release-2.x/log4j-layout-template-json/src/main/resources. By default, the product uses a template that generates log entries that are compatible with ECS (Elasticsearch Common Schema). The default template for log entries is reproduced below.

{
  "@timestamp":{
    "$resolver":"timestamp",
    "pattern":{
      "format":"yyyy-MM-dd'T'HH:mm:ss.SSS'Z'",
      "timeZone":"UTC"
    }
  },
  "ecs.version":"1.2.0",
  "log.level":{
    "$resolver":"level",
    "field":"name"
  },
  "message":{
    "$resolver":"message",
    "stringified":true
  },
  "process.thread.name":{
    "$resolver":"thread",
    "field":"name"
  },
  "log.logger":{
    "$resolver":"logger",
    "field":"name"
  },
  "error.type":{
    "$resolver":"exception",
    "field":"className"
  },
  "error.message":{
    "$resolver":"exception",
    "field":"message"
  },
  "error.stack_trace":{
    "$resolver":"exception",
    "field":"stackTrace",
    "stackTrace":{
      "stringified":true
    }
  }
}

Deploying the Elasticsearch appender

The Elasticsearch appender can be installed and configured using deployment automation recipes or using the Admin Console. To use automation, there is a single recipe, elasticsearch-logger.json, that deploys the necessary bundles and redirects logging to Elasticsearch. The elasticsearch-logger.json recipe can accept the properties listed below.

Parameter	Description	Default Value
ES_LOG_SERVER_URLS	Comma-separated list of Elasticsearch server URLs	http://localhost:9200
ES_LOG_APPENDERS	The root appenders to use. By default, deployment of the Elasticsearch Appender directs all logging to Elasticsearch. If file logging is also required, you can use the default logger as well as Elasticsearch. To do this, use the following value to specify that both the rolling file appender and the Elasticsearch appender should be used: elastic, rolling. Note: Writing to multiple loggers introduces additional overhead.	elastic
ES_LOG_BATCH_INTERVAL	The interval, in milliseconds, when batches will be written unless the batch size is reached first.	3000
ES_LOG_BATCH_SIZE	The batch size that will force a write, unless the interval is reached first.	2048
ES_LOG_EVENT_TEMPLATE	The layout template for log events.	$INSTALL_DIR/recipes/elasticsearch-ecs-layout-template.json
ES_LOG_INDEX_NAME	The base index name.	akana
ES_LOG_INDEX_NAME_PATTERN	The index name pattern.	yyyy-MM-dd
ES_LOG_INDEX_TEMPLATE	The Elasticsearch mapping document for the index.	$INSTALL_DIR/recipes/elasticsearch-index-template.json
ES_LOG_SERVER_CONNECT_TIMEOUT	The server connect timeout in milliseconds.	500
ES_LOG_SERVER_MAPPING_TYPE	The document type in Elasticsearch.	_doc
ES_LOG_SERVER_MAX_CONNECTIONS	The maximum number of connections to establish to the server.	8
ES_LOG_SERVER_USERNAME	The server username.
ES_LOG_SERVER_PASSWORD	The server password.
ES_LOG_SERVER_READ_TIMEOUT	The client read timeout in milliseconds.	20000
ES_LOG_STACK_TEMPLATE	The layout template for stack elements.	$INSTALL_DIR/recipes/elasticsearch-ecs-stack-template.json