Skip to content

ELK-based Analytics Installation Guide

This guide shows you how to configure ELK-based Analytics for WSO2 Identity Server. ELK-based Analytics solution supports ELK version 8.X.X.

Enable Analytics in WSO2 Identity Server

Follow the steps below to enable ELK-based analytics in WSO2 Identity Server.

  1. Download and install WSO2 Identity Server.


    For detailed information, see Install WSO2 Identity Server.

  2. Open the deployment.toml file found in the {IS_HOME}/repository/conf/ directory and add the following configuration.

  3. Restart WSO2 Identity Server.

Enable Logs in WSO2 Identity Server

  1. Open the file found in the <IS_HOME>/repository/conf directory and add the following configurations.

    • Add ANALYTICS_EVENT_LOGFILE to the list of all appenders as follows:
      appenders = {other appenders} , ANALYTICS_EVENT_LOGFILE

    • Add the following appender configurations:

      appender.ANALYTICS_EVENT_LOGFILE.fileName =${sys:carbon.home}/repository/logs/analytics_events.log
      appender.ANALYTICS_EVENT_LOGFILE.filePattern = ${sys:carbon.home}/repository/logs/analytics_events-%d{MM-dd-yyyy}.%i.log
      appender.ANALYTICS_EVENT_LOGFILE.layout.type = PatternLayout
      appender.ANALYTICS_EVENT_LOGFILE.layout.pattern=TID: [%tenantId] [%appName] [%d] [%X{Correlation-ID}] %5p {%c} — %mm%ex%n
      appender.ANALYTICS_EVENT_LOGFILE.policies.type = Policies
      appender.ANALYTICS_EVENT_LOGFILE.policies.time.type = TimeBasedTriggeringPolicy
      appender.ANALYTICS_EVENT_LOGFILE.policies.time.interval = 1
      appender.ANALYTICS_EVENT_LOGFILE.policies.time.modulate = true
      appender.ANALYTICS_EVENT_LOGFILE.policies.size.type = SizeBasedTriggeringPolicy
      appender.ANALYTICS_EVENT_LOGFILE.strategy.type = DefaultRolloverStrategy
      appender.ANALYTICS_EVENT_LOGFILE.strategy.max = 20
      appender.ANALYTICS_EVENT_LOGFILE.filter.threshold.type = ThresholdFilter
      appender.ANALYTICS_EVENT_LOGFILE.filter.threshold.level = INFO


      To change the name of the log file and its location, change the fileName and filePattern parameters accordingly.

    • Add org.wso2.carbon.event.output.adapter.logger.LoggerEventAdapter to the list of all loggers as follows:

      loggers = {other loggers}, org-wso2-carbon-event.output-adapter-logger-LoggerEventAdapter

    • Add the following logger configurations.


      The analytics_events.log file will be rolled each day or when the log size reaches the limit of 1000 MB by default. Furthermore, only 10 revisions will be kept and older revisions will be deleted automatically. You can change these configurations by updating the appender configurations above.

  2. Restart WSO2 Identity Server.

Configure ELK

Follow the guides mentioned below to install the ELK components.

Install Elasticsearch

  1. Install Elasticsearch according to your operating system.

  2. Make sure Elasticsearch is up and running.


    Take note of the password generated for the elastic user.

Install Filebeat

  1. Install Filebeat according to your operating system.

  2. Open the filebeat.yml file in the root directory and add this configuration.


    • Replace <IS_HOME> with the location of your WSO2 Identity Server installation.
    • To configure Filebeat to mask sensitive information in logs, follow this guide.

Install Logstash

  1. Install Logstash according to your operating system.
  2. In the Logstash directory, create a file with the .conf extension and add these configurations.


    • Set a password for the elastic super user.
  3. Start the logstash server with the -f flag followed by the location of the configuration file you created.

Installing Kibana

  1. Install Kibana according to your operating system and do this one time configuration.

  2. Once Kibana is running, enter its web interface using the following address:

Configure ELK Analytics Dashboards

  1. Navigate to the Kibana installation folder and run the following command to install the Kibana Enhanced Table plugin.

    ./bin/kibana-plugin install


    Replace A,B,C with the plugin version and X,Y,Z with the Kibana version you have installed.

  2. Restart Kibana service and log in to Kibana.

  3. On the left navigation panel, under Management click Stack Management.

  4. Under Stack Management > Data, click Index Management and go to its Index Templates tab.

  5. Under the Index patterns column, if you have any index patterns created under the following names, delete them before moving to the next step.

    • wso2-iam-alert-auth*
    • wso2-iam-alert-session*
    • wso2-iam-auth-raw*
    • wso2-iam-session-raw*
    • wso2-iam-session-time-series*
  6. Download the artifact file here.

  7. Under Stack Management > Kibana, click Saved Objects.

  8. Click Import, add the downloaded artifact file as an import object, and click Import.

  9. Once import is complete, click Done.

  10. On the left navigation panel, under Analytics, click Dashboards to view the created Auth and Session dashboards.