Changing logging level at runtime

Getting advice
1

Is it still possible (now that Quarkus is used) to change the logging level of certain categories/packages at runtime (without a restart)?

Earlier I used this:

/opt/jboss/keycloak/bin/jboss-cli.sh --connect ‘/subsystem=logging/logger=org.keycloak.saml:add(level=TRACE)’

Thanks!

2

I meanwhile figured it out: JMX can be used for this purpose (relying on the support from Quarkus).
It’s a bit complicated but it works. E.g. if you use Keycloak in a Docker container:

cd ./keycloak/utils # a folder mounted to Keycloak via docker mapped to /opt/keycloak/utils/ from the container
wget https://github.com/jiaqi/jmxterm/releases/download/v1.0.4/jmxterm-1.0.4-uber.jar
mv jmxterm*.jar jmxterm.jar

docker exec -it keycloak bash # from here on all commands are inside the container
cd /opt/keycloak/utils/
java --add-exports jdk.jconsole/sun.tools.jconsole=ALL-UNNAMED -jar jmxterm.jar
open 1
bean java.util.logging:type=Logging
run setLoggerLevel org.keycloak.saml TRACE
run getLoggerLevel org.keycloak.saml
run setLoggerLevel org.keycloak.services.resources DEBUG
run getLoggerLevel org.keycloak.services.resources

Keycloak will start logging with TRACE/DEBUG after this!

Other useful JMX commands to try:

jvms
open PID_GOES_HERE
domains
domain java.util.logging
beans
bean java.util.logging:type=Logging
info
get LoggerNames
run getLoggerLevel org.keycloak.saml
run setLoggerLevel org.keycloak.saml TRACE

More details: https://www.baeldung.com/jmx-mbean-shell-access

You can obviously do this via remote JMX is as well (e.g. using JConsole) but for that you will need to change how you start up keycloak by adding the following JVM args:

-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9111 -Dcom.sun.management.jmxremote.rmi.port=9111 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false

Make sure you don’t do this on environments exposed to the public internet, because you might accidentally expose JMX to the public internet (normally a firewall should keep this exotic port closed though)!

1 Like