How to enable access logging for JBoss EAP 7/8?

Solution Verified - Updated 18 Mar 2025

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 7
- 8

Issue

How to enable the access log in JBoss EAP7?
How to enable friendly access log times in JBoss EAP7?
How can I configure the access-log pattern in EAP7?
Need to find the equivalent for org.apache.catalina.valves.AccessLogValve for Undertow in EAP 7
How to enable the access log in JBoss EAP8?
How can I configure the access-log pattern in EAP8?

Resolution

This solution is part of the [Master] Configuring Access Logs in Red Hat Middleware Products..

Configure inside the Undertow subsystem setting:

Add the following <access-log> setting inside host name="default-host" under the Undertow subsystem in your configuration file (e.g. in standalone.xml/standalone-full.xml/standalone-ha.xml/standalone-full-ha.xml, or the appropriate profile in domain.xml):

  <subsystem xmlns="urn:jboss:domain:undertow:3.1" statistics-enabled="true">
      ...
      <server name="default-server">
          <http-listener name="default" socket-binding="http" redirect-socket="https" record-request-start-time="true"/>
          <host name="default-host" alias="localhost">
              <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; Cookie: &quot;%{i,COOKIE}&quot; Set-Cookie: &quot;%{o,SET-COOKIE}&quot; SessionID: %S Thread: &quot;%I&quot; TimeTaken: %T"/>
          </host>
      </server>
      ...
  </subsystem>

Also note that you need to set the record-request-start-time attribute to true for the listener(http-listener, ajp-listener and https-listener which you are using) to log response time (%D in milliseconds or %T in seconds) in access logging. See Access log pattern %D and %T (response time) prints "-" in Undertow in JBoss EAP 7 for details.

To add these using the CLI the following commands could be used. If you are using domain mode instead of standalone mode, you need to add the prefix /profile=<your-profile-name> to the each command:

  /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=record-request-start-time,value=true)
  /subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %l %u %t \"%r\" %s %b \"%{i,Referer}\" \"%{i,User-Agent}\" Cookie: \"%{i,COOKIE}\" Set-Cookie: \"%{o,SET-COOKIE}\" SessionID: %S Thread: \"%I\" TimeTaken: %T")

The access log file will be output as access_log.log under the JBoss log directory by default (under jboss.server.log.dir which is $JBOSS_HOME/standalone/log/ directory by default for standalone mode).
You can specify a custom output directory through the directory parameter. Also, you can customize the file name with prefix parameter (access_log. by default) and suffix parameter (log by default). Note that if customizing the file name (via prefix and suffix parameters), any . separating the prefix and suffix should be included at the end of the prefix only (for example, specify prefix="custom_access." suffix="log" to output the file name custom_access.log).
With the following example configuration, the access log file will be output as custom_access.log under /path/to/desired/directory directory:
```
  <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; Cookie: &quot;%{i,COOKIE}&quot; Set-Cookie: &quot;%{o,SET-COOKIE}&quot; SessionID: %S Thread: &quot;%I&quot; TimeTaken: %T"  directory="/path/to/desired/directory" prefix="custom_access." suffix="log" />
```
You may also use the relative-to parameter to make that custom directory relative to another. With the following example configuration, the access log file will be output as custom_access.log under $JBOSS_HOME/standalone/log/path/to/desired/directory directory:
```
  <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; Cookie: &quot;%{i,COOKIE}&quot; Set-Cookie: &quot;%{o,SET-COOKIE}&quot; SessionID: %S Thread: &quot;%I&quot; TimeTaken: %T"  directory="/path/to/desired/directory" prefix="custom_access." suffix="log" relative-to="jboss.server.log.dir"/>
```
Note that the log file will not be created until after the first time a request completely processes on the server
If you want to dynamically enable/disable access-log then set record-request-start-time attribute to true and take the restart (during a maintenance window) and then you can enable access-log as described earlier or disable it by removing the same dynamically.
```
  /subsystem=undertow/server=default-server/host=default-host/setting=access-log:remove
```
For more details refer to Content from wildscribe.github.io is not included.access log configuration and Content from undertow.io is not included.access log pattern format. The above pattern is "combined" one followed by Cookie header in request and Set-cookie header in response, session-id (%S), thread name (%I), time taken in seconds (%T) (in seconds but it shows milliseconds after the decimal point like 12.345).
By default, the access logs are rotated daily. Note that log rotation occurs at the first log entry written after the date changes (= no log rotation happen if no log entry is written after the date changes).
For rotating different periods (= other than daily) or rotating by size, follow the instructions in Rotating Access Logs in JBoss EAP 7.x

An example logging output with the above example configuration will be like the following:

  127.0.0.1 - - [12/Mar/2020:16:46:40 +0900] "GET /example/ HTTP/1.1" 200 1181 "-" "curl/7.29.0" Cookie: "-" Set-Cookie: "JSESSIONID=ZIA-vcbvaIjC5Gf-bG8wvEv7CzBd-0GI7X3NCFAE.node1; path=/example" SessionID: ZIA-vcbvaIjC5Gf-bG8wvEv7CzBd-0GI7X3NCFAE Thread: "default task-3" TimeTaken: 0.011

  127.0.0.1 - - [12/Mar/2020:16:46:41 +0900] "GET /example/ HTTP/1.1" 200 1349 "-" "curl/7.29.0" Cookie: "JSESSIONID=ZIA-vcbvaIjC5Gf-bG8wvEv7CzBd-0GI7X3NCFAE.node1" Set-Cookie: "-" SessionID: ZIA-vcbvaIjC5Gf-bG8wvEv7CzBd-0GI7X3NCFAE Thread: "default task-3" TimeTaken: 0.006

For Openshift Images:

By default, access logging for Undertow is disabled in the JBoss EAP for Openshift images.

Add the ENABLE_ACCESS_LOG environment variable to the deployment config for an application pod. Set ENABLE_ACCESS_LOG=true to enable access logging. Remove the environment variable to disable access logging. The access log with %h %l %u %t %{i,X-Forwarded-Host} "%r" %s %b pattern will be logged to the console where it can be viewed with oc logs <pod-name>:
```
  06:38:15,067 INFO  [io.undertow.accesslog] (default task-1) xxx.xxx.xxx.xxx- - [19/Mar/2021:06:38:15 +0000] - "GET /test/test HTTP/1.1" 200 6
```

If you want to apply a custom pattern such as %D and %T, it can be configured by mounting a custom script in ConfigMap instead of ENABLE_ACCESS_LOG. The custom script is available in jboss-eap-7/eap72-openshift:1.2 or later.

  $ cat extensions/postconfigure.sh 
  #!/bin/sh
  echo "Executing postconfigure.sh"
  $JBOSS_HOME/bin/jboss-cli.sh --file=$JBOSS_HOME/extensions/extensions.cli

  $ cat extensions/extensions.cli 
  embed-server --std-out=echo --server-config=standalone-openshift.xml
  batch
  /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=record-request-start-time,value=true)
  /subsystem=undertow/server=default-server/host=default-host/setting=access-log:add(pattern="%h %l %u %t \"%r\" %s %b \"%{i,Referer}\" \"%{i,User-Agent}\" Cookie: \"%{i,COOKIE}\" Set-Cookie: \"%{o,SET-COOKIE}\" SessionID: %S Thread: \"%I\" TimeTaken: %T", use-server-log=true)
  run-batch
  quit

  $ oc create configmap jboss-cli --from-file=postconfigure.sh=extensions/postconfigure.sh --from-file=extensions.cli=extensions/extensions.cli
  $ oc set volume dc/<dc-name> --add --name=jboss-cli -m /opt/eap/extensions -t configmap --configmap-name=jboss-cli --default-mode='0755'

The access log with custom pattern will be loged to the console by applying the custom script:

  06:21:33,028 INFO  [io.undertow.accesslog] (default task-1) xxx.xxx.xxx.xxx - - [19/Mar/2021:06:21:33 +0000] "GET /test/test HTTP/1.1" 200 6 "-" "curl/7.29.0" Cookie: "-" Set-Cookie: "-" SessionID: - Thread: "default task-1" TimeTaken: 0.002

How to customize date format pattern for access logging in JBoss EAP 8 / 7

Diagnostic Steps

For standalone mode Check $JBOSS_HOME/standalone/log/access_log.log file for access log details.

SBR

Webservers

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.