This post is older than a year. Consider some information might not be accurate anymore.
Used: elasticsearch v5.6.7
Elasticsearch offers the capability to alter the log level at runtime, for troubleshooting. I got some problems with TLS and this was really helpful and the good thing: No cluster downtime! Elasticsearch uses Apache Log4j 2
Root Logger
Set log level for root logger. Fair warning trace will explode your logfiles.
PUT /_cluster/settings
{"transient":{"logger._root":"debug"}}
Set log level for specific logger. Always prefix class names with logger. Set log level for the Apache HTTP client.
PUT /_cluster/settings
{"transient": {"logger.org.apache.http":"info"}}
Set log level for the commercial monitoring extension of elastic.
PUT /_cluster/settings
{"transient": {"logger.xpack.monitoring":"debug"}}
Logging per Index
A really cool feature is logging per index. For the index magic_index the trace information of the queries that take more than 100 milliseconds on that index are written to the <cluster>_index_search_slowlog.log file.
PUT /magic_index/_settings
{
"index": {
"search.slowlog.level": "trace",
"search.slowlog.threshold.query.trace": "100ms"
}
}
Resources
Some sources for a more detailed explaination:
