Clarification on "Collect Agent Logs" setting for Elastic Agent Policies

nemhods · October 18, 2021, 7:40pm

Hey, I'm wondering how the "Collect Agent Logs" setting works for Elastic Agent. In the past I made the experience that when selecting both "Collect Agent Logs" and "Collect Agent Metrics", it would cause massive amounts of data to be sent back to the cluster (I was seeing 30GB+ per month with about 15 agents). I want to give it another try, but this time understand how it actually works.

When I enable log collection, what log level will the Elastic Agent run under? Debug? Info?
What log level will be shipped back to Kibana by default? Info?
If I set the "Agent log level" in Kibana, what will this change? Is there an API-driven way to do this?
And finally, Is there a way to change the default log levels if one only ever wants warning and higher to be sent back to kibana?

Touching every agent and changing the setting is truly not an option - agents may be volatile (re-deployed often or automatically) or too large in number (500+ agents).

Thanks!

blaker · October 19, 2021, 2:40pm

When I enable log collection, what log level will the Elastic Agent run under? Debug? Info?

It will log at the level set in the "Agent logging level".

What log level will be shipped back to Kibana by default? Info?

Info should be default, but again its what ever is set in the "Agent logging level".

If I set the "Agent log level" in Kibana, what will this change? Is there an API-driven way to do this?

This changes the logging level that is shipped back to Kibana from the Elastic Agent on the hosts. As for an API-driven way, there is one but I do not know if its exposed for usage outside of that view.

And finally, Is there a way to change the default log levels if one only ever wants warning and higher to be sent back to kibana?

Should be able to set the setting of "Agent logging level" to warn and you will only get warn and high messages.

nemhods · October 19, 2021, 3:29pm

Hey,

thank you very much, this makes the process more understandable to me.

For the last bit, where you mention how to set the default logging level: that's set on an individual agent right now, correct? I was hoping to set it for all agents in the policy settings, such as this:

I feel like this could be a nice feature request on github. Just wanted to know if that feature was already there but I'm searching in the wrong spot.

blaker · October 19, 2021, 4:31pm

@nchaulet ^ is there a way to change this globally or per policy? If not I agree, away to do that would be nice.

nchaulet · October 20, 2021, 3:20pm

Unfortunately there is no way to set this globally only per agent, it would probably be a nice addition.

system · November 17, 2021, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.