Logging in Kong Gateway allows you to see information, warnings, and errors about requests that are proxied by Kong Gateway.
The information in this reference doc helps you understand and modify Kong Gateway logs. You can also use logging plugins to extend these capabilities by logging additional information or sending logs to another application.
By default, you can view Kong Gateway logs at /usr/local/kong/logs/error.log. If you are running Kong Gateway on Docker, you can also view them from your Docker container.
By default, logs are set to the recommended notice level. If logs are too chatty, you can increase the level to something like warn.
|
Level |
Description |
|---|---|
debug
|
Provides debug information about the plugin’s run loop and each individual plugin or other components. This should only be used during debugging. If this is enabled for extended periods of time, it can result in excess disk space consumption. |
info and notice
|
Provides information about normal behavior, most of which can be ignored. |
warn
|
Logs any abnormal behavior that doesn’t result in dropped transactions but requires further investigation. |
error
|
Used for logging errors that result in a request being dropped. For example, getting a 500 error. The rate of these logs must be monitored.
|
crit
|
Used when Kong Gateway is working under critical conditions, affecting several clients. crit is the highest severity log level.
|
You can change log levels dynamically, without restarting Kong Gateway, using the Admin API. Alternatively, you can configure log levels using the log_level parameter in the kong.conf file, but this requires you to restart Kong Gateway.
|
Use case |
How to configure |
|---|---|
| View current log level1 |
/debug/node/log-level/
|
| Modify the log level for an individual Kong Gateway node |
/debug/node/log-level/{log_level}
|
| Change the log level of the Kong Gateway cluster |
/debug/cluster/log-level/{log_level}
|
| Keep the log level of new nodes added to the cluster in sync with other nodes in the cluster |
Change the log_level entry in kong.conf to KONG_LOG_LEVEL, and start every new node with the KONG_LOG_LEVEL env variable set.
|
| Change the log level of all Control Plane Kong Gateway nodes |
/debug/cluster/control-planes-nodes/log-level/{log_level}
|
1: You can’t change the log level of the Data Plane or DB-less nodes.
The X-Kong-Request-Id header contains a unique identifier for each client request. You can use this header to match specific requests to their corresponding error logs.
If Kong Gateway returns an error by calling the PDK kong.response.error, the request ID will also be included in the response body generated by Kong Gateway. In addition, any generated Kong Gateway error log contains the same request ID with the format request_id: xxx. This can help with debugging because you can search for the header when the debug output is too long to fit in the response header.
This feature can be customized for upstreams and downstreams using the headers and headers_upstream configuration options in kong.conf:
| Parameter | Description |
|---|---|
headers
Default: server_tokens, latency_tokens, X-Kong-Request-Id
|
Comma-separated list of headers Kong should inject in client responses. Accepted values are:
In addition to these, this value can be set
to Example: |
headers_upstream
Default: X-Kong-Request-Id
|
Comma-separated list of headers Kong should inject in requests to upstream. At this time, the only accepted value is:
In addition, this value can be set
to |
You may need to customize what Kong Gateway logs. For instance, you may want to:
These changes can be made to Kong Gateway’s Nginx template and only affect the output of the Nginx access logs. This doesn’t have any effect on Kong Gateway’s logging plugins.
Let’s look at an example where you want to remove any instances of an email address from your Kong Gateway logs. The email addresses may come through in different formats, for example /servicename/v2/verify/alice@example.com or /v3/verify?alice@example.com. To keep all of these formats from being added to the logs, you need to use a custom Nginx template.
Make a copy of Kong Gateway’s Nginx template, then edit it to add or remove the data you need. The following template shows an example configuration for removing email addresses from logs:
# ---------------------
# custom_nginx.template
# ---------------------
worker_processes $; # can be set by kong.conf
daemon $; # can be set by kong.conf
pid pids/nginx.pid; # this setting is mandatory
error_log stderr $; # can be set by kong.conf
events {
use epoll; # custom setting
multi_accept on;
}
http {
map $request_uri $keeplog {
~.+\@.+\..+ 0;
~/v1/invitation/ 0;
~/reset/v1/customer/password/token 0;
~/v2/verify 0;
default 1;
}
log_format show_everything '$remote_addr - $remote_user [$time_local] '
'$request_uri $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
include 'nginx-kong.conf';
}
For this example, we’re using the following:
map $request_uri $keeplog: Maps a new variable called keeplog, which is dependent on values appearing in the $request_uri. Each line in the example starts with a ~ because this is what tells Nginx to use a regex when evaluating the line. This example looks for the following:
x@y.z format/servicename/v2/verify
The third line looks at any part of the URI that contains /v3/verify
Because all of these patterns have a value of something other than 0, if a request has any of those elements, it will not be added to the log.
log_format: Sets the log format for what Kong Gateway keeps in the logs. The contents of the log can be customized for your needs. For the purpose of this example, you can assign the new logs with the name show_everything and set everything to the Kong Gateway default standards. To see the full list of options, refer to the Nginx core module variables reference.Once you’ve adjusted the Nginx template for your environment, you need to tell Kong Gateway to use the newly created log, show_everything.
To do this, alter the Kong Gateway variable proxy_access_log by either editing etc/kong/kong.conf or using the environmental variable KONG_PROXY_ACCESS_LOG adjust the default location:
proxy_access_log=logs/access.log show_everything if=$keeplog
Restart Kong Gateway to apply changes with the kong restart command.
Now, any request made with an email address in it will no longer be logged.
Kong Gateway collects logs for the AI Gateway plugins. This allows you to aggregate AI usage analytics across various providers.
Each log entry includes the following details:
|
Property |
Description |
|---|---|
ai.$PLUGIN_NAME.payload.request
|
The request payload. |
ai.$PLUGIN_NAME.payload.response
|
The response payload. |
ai.$PLUGIN_NAME.usage.prompt_token
|
The number of tokens used for prompting. |
ai.$PLUGIN_NAME.usage.completion_token
|
The number of tokens used for completion. |
ai.$PLUGIN_NAME.usage.total_tokens
|
The total number of tokens used. |
ai.$PLUGIN_NAME.usage.cost
|
The total cost of the request (input and output cost). |
ai.$PLUGIN_NAME.usage.time_per_token
|
v3.8+ The average time to generate an output token, in milliseconds. |
ai.$PLUGIN_NAME.meta.request_model
|
The model used for the AI request. |
ai.$PLUGIN_NAME.meta.provider_name
|
The name of the AI service provider. |
ai.$PLUGIN_NAME.meta.response_model
|
The model used for the AI response. |
ai.$PLUGIN_NAME.meta.plugin_id
|
The unique identifier of the plugin. |
ai.$PLUGIN_NAME.meta.llm_latency
|
v3.8+ The time, in milliseconds, it took the LLM provider to generate the full response. |
ai.$PLUGIN_NAME.cache.cache_status
|
v3.8+ The cache status. This can be Hit, Miss, Bypass or Refresh.
|
ai.$PLUGIN_NAME.cache.fetch_latency
|
v3.8+ The time, in milliseconds, it took to return a cache response. |
ai.$PLUGIN_NAME.cache.embeddings_provider
|
v3.8+ For semantic caching, the provider used to generate the embeddings. |
ai.$PLUGIN_NAME.cache.embeddings_model
|
v3.8+ For semantic caching, the model used to generate the embeddings. |
ai.$PLUGIN_NAME.cache.embeddings_latency
|
v3.8+ For semantic caching, the time taken to generate the embeddings. |