Analytic Query logging

[smalyshev]

This patch creates framework for generic action logging, serving search, SQL, EQL, ESQL, etc. Enabling logging:

elasticsearch.actionlog.search.enabled=true

Will produce search logs in JSON format like this:

{
	"@timestamp": "2026-02-06T20:22:41.345Z",
	"log.level": "INFO",
	"auth.type": "REALM",
	"elasticsearch.activitylog.hits": 3,
	"elasticsearch.activitylog.indices": "my-index",
	"elasticsearch.activitylog.query": "{\"size\":1,\"fields\":[{\"field\":\"id\"},{\"field\":\"title\"},{\"field\":\"_tier\"}]}",
	"elasticsearch.activitylog.took": 1000000,
	"elasticsearch.activitylog.took_millis": 1,
	"elasticsearch.activitylog.type": "search",
	"event.duration": 1000000,
	"event.outcome": "success",
	"user.name": "elastic",
	"user.realm": "reserved",
	"ecs.version": "1.2.0",
	"service.name": "ES_ECS",
	"event.dataset": "elasticsearch.search_log",
	"process.thread.name": "elasticsearch[node-1][search][T#8]",
	"log.logger": "search.activitylog",
	"elasticsearch.cluster.uuid": "gjYgb-uQQAuLmDoKlQInZw",
	"elasticsearch.node.id": "juurGSfgRYGwTP2ttZbtOQ",
	"elasticsearch.node.name": "node-1",
	"elasticsearch.cluster.name": "querying"
}

[elasticsearchmachine]

Hi @smalyshev, I've created a changelog YAML for you.

[consulthys]

Thanks for the updates.
Added some comments

[consulthys]

Since ES_FIELDS_PREFIX is elasticsearch.activitylog. I feel these search-specific fields should go into another sub-section dedicated to search if in the future we were to add more non-search-related activities. Makes sense?
Thoughts @jimczi ?

[smalyshev]

Not sure if having query in separate places for different modules is beneficial, but it's possible to do, please tell which one is preferred.

[consulthys]

My point is that the elasticsearch.activitylog. is not about search/query activities specifically. If the activity logs get extended at some point to also include other non-search activities, all the search-specified fields (i.e. took, took_ms, query, indices, etc) should be in their own sub-section (e.g. elasticsearch.activitylog.search.took, etc)

[smalyshev]

OK I see what you mean here, but I am not sure how to better configure this space. "search" name would be confusing, as there's separate module "search". So the question is - do we want to have separate section for each module (despite a lot of info being common between them) or we have a section for all "searching/reading/querying" modules and potentially another section for "indexing"?

I think we need to discuss it more in detail, but I don't want to hold this patch for this - I think after we figure it out we'd do a followup if necessary?

[consulthys]

Same comment as for EQL above and having another sub-section dedicated to search

[consulthys]

Same comment as for EQL above and having another sub-section dedicated to search

[mark-vieira]

Should we rename ActionLoggingFieldProvider to ActivityLoggingFieldProvider for consistency?

[smalyshev]

Not necessarily, they are not strongly linked - any logger can use ActionLoggingFieldProvider (and slowlogs, while they exist, do still use it).

[mark-vieira]

Is there a plan to make slow logs an ActivityLogProducer or is it going to remain it's own thing? It'd be nice to just consolidate all these things as "activity logs" and not have slow logs be a one-off.

[smalyshev]

That depends on what you mean by "plan". We agree that eventually we'd want all those to merge into the new system, but it's not a high priority right now, though eventually that's where we want to end up. Probably starting with ESQL log, then search slow log, than indexing slow log (indexing is the last because current system doesn't support indexing yet). But we do not have a definite plan of when and who will be doing it. Here's issue for ESQL: #142425 for the rest I don't think it's tracked yet (@naj-h may know more).

[smalyshev]

I think we could discuss eventually renaming ActionLoggingFieldsProvider if slow logs go away (which may happen in the future) but it's probably not the time yet for this patch.

[mark-vieira]

We agree that eventually we'd want all those to merge into the new system, but it's not a high priority right now, though eventually that's where we want to end up.

Yeah, that's good enough for me. Just wanted to make sure we're aligned that we do want to consolidate these.