Logging

The KES server produces two different kinds of logs.

• Error logs
• Audit logs

The KES server writes an error log event whenever it encounters an unexpected error. For example, when it detects corrupted backend data.

2022/02/18 17:19:47 http: failed to reload certificate "/etc/kes/public.crt": permission denied

The only exception is unexpected errors at the the metrics API endpoint. Otherwise, querying the KES server metrics would change the metrics.

The KES server also produces an audit log stream. The audit log contains one log entry for each server API operation.

{"time":"2020-03-24T12:37:33Z","request":{"path":"/v1/key/create/my-key","identity":"dd46485bedc9ad2909d2e8f9017216eec4413bc5c64b236d992f7ec19c843c5f"},"response":{"code":200, "time":12106}}

The KES server can write error log events to STDERR and audit log events to STDOUT.

By default, the KES server writes error events to STDERR but does not write audit events to STDOUT. This behavior can be changed in the KES server configuration file.

The KES CLI can subscribe to the server log API and pretty-print the log events:

KES exposes error and audit logs as part of its API. KES clients can connect to the error or audit log stream and obtain new log events remotely via the kes log command.

• Server API Doc
• Go SDK Doc