This page describes how to access server logs for HashiCorp-managed clusters. After you access a HashiCorp-managed cluster, you can use the CLI to view the logs for individual clusters.
For information on accessing a server's audit logs to monitor API calls, refer to audit logs.
Accessing server logs requires the Consul CLI. If you do not have access to the CLI on your workstation, download and install Consul.
Accessing server logs also requires the server's address and an admin token for the HashiCorp-managed cluster. For instructions on accessing this information, refer to Access HashiCorp-managed clusters.
The process to view an individual server's logs consists of the following steps:
- Use the cluster DNS address to resolve the IP addresses for the individual Consul servers.
- For each server, run
consul monitorin a separate terminal.
nslookup or a similar tool to resolve the DNS address to individual server IPs. The lookup succeeds for both private and public clusters, but the IPs for private clusters are not routable from your workstation unless you are within your corporate VPN or on a jump server.
Update the following command to include the HCP Consul DNS address.
$ nslookup consul-cluster-name.consul.alphanumeric-id.aws.hashicorp.cloud Server: 192.168.1.254 Address: 192.168.1.254#53 Non-authoritative answer: Name: consul-cluster-name.consul.alphanumeric-id.aws.hashicorp.cloud Address: 172.25.22.78 Name: consul-cluster-name.consul.alphanumeric-id.aws.hashicorp.cloud Address: 172.25.27.214 Name: consul-cluster-name.consul.alphanumeric-id.aws.hashicorp.cloud Address: 172.25.17.212
Turn off SSL verification and run
consul monitor on an individual server's IP address to output server logs to the terminal. You must disable SSL verification because the certificate for the servers is only valid for the domain name, not the individual IP address. In most cases you can use the domain name to interact with the server, but in this specific case you must make requests to each individual IP.
Update the following command to include your server address and a valid admin token:
$ CONSUL_HTTP_SSL_VERIFY=false consul monitor \ -http-addr https://172.25.22.78 \ -token <your-token-here>
You can also add the
-log-level flag to specify a log level. The default log level is
info. Available log levels are
It may take a minute or two for the logs to appear in the terminal. A known issue causing this delay was fixed in the following Consul versions: