Logging
This page covers what makes a good log message in Kibana. For how to instantiate and call a logger from your plugin, see the logging service tutorial. For security-sensitive actions that need to be recorded separately, see audit logging.
- Do not log sensitive information (personally identifiable information, passwords, api keys, etc.), regardless of the log level. Err on the side of caution. Personally identifiable information is common in user input; for example, dashboard titles, index names and Elasticsearch
_searchqueries. - Logs should include just enough information to be actionable.
- Use the right log level. The logging service tutorial shows each level in use; as a rule of thumb:
trace/debugfor developer diagnostics,infofor noteworthy lifecycle events (sparingly — see the HTTP API observability guidance),warnfor recoverable anomalies,error/fatalfor failures that need attention. - Use ECS format for any additional LogMeta you add to your logging statements.
- Logs are read by customers, a large number of Elastic employees, and Kibana contributors. As such, log messages should use language that is understandable to a wide audience and should avoid disclosing implementation details (unless they're at the
debug/tracelevel).
Operators can configure meta filters on a logger so that records matching selected LogMeta fields are logged at a more verbose level than the logger's nominal level. That only works if call sites pass filterable structured meta.
Recommended conventions:
| Purpose | Where to put it | Example filter path |
|---|---|---|
| Stable entity IDs (rule, action, connector, space) | labels.* |
labels.ruleType, labels.actionId |
| Categorical event class | tags (string array) |
not used by meta filters |
| Message text | first argument / message function | not filterable by meta |
Do:
logger.error(error, {
labels: { actionId, actionTypeId, ruleId, spaceId },
tags: ['action-run-failed'],
});
Avoid burying IDs only in the message string or in tags if operators need to filter on them:
// Hard to filter with logging.loggers[].filters
logger.error(`Action '${actionId}' failed: ${error.message}`, {
tags: [actionTypeId, actionId, 'action-run-failed'],
});
See the logging service tutorial for a full operator-facing example.