JVM debug logs are not redirerected to the elasticsearch log

[jkakavas]

JVM debug logs ( such as the logs produced by setting -Dsun.security.krb5.debug=true or
-Dsun.security.spnego.debug=true ) are only printed in stdout and are not redirected to the elasticsearch log.

These are crucial for Kerberos troubleshooting as these are the only actionable information we can get from Java GSS. In general though, it might also make sense for other JVM related logs to be redirected to elasticsearch.log and we could add a proxy in code to make writing to stdout go to the log.

At a bare minimum, we should update https://www.elastic.co/guide/en/elasticsearch/reference/7.5/trb-security-kerberos.html to point out that after enabling the debug logs, these logs can be found in stdout when running elasticsearch with the bin/elasticsearch script , in the systemd journal for elasticsearch.service when running with systemd and in docker logs when running elasticsearch in docker container.

[elasticmachine]

Pinging @elastic/es-security (:Security/Authentication)

[elasticmachine]

Pinging @elastic/es-core-infra (:Core/Infra/Logging)

[elasticmachine]

Pinging @elastic/es-docs (>docs)

[albertzaharovits]

Good catch 👍
Given the general direction of formatting the logs to be machine readable, as JSON documents, I would lean towards documenting it to avoid of spoiling it for the parsers.