Workaround to enable UiPath Orchestrator to store logs in Elasticsearch 6.4

UiPath Orchestrator uses NLog as the logging framework. This allows Administrators to configure multiple targets for Robot Execution Logs in the Orchestrator Web Application Configuration file. The size of Execution Logs in RPA environments tend to grow large and can become a huge overhead if the logs are written to a Relational Database Server like SQL Server. Also analysing logs can be a difficulty. For this reason setting Elasticsearch as the log target is recommended.

The Elasticsearch log target configuration in the current version of Orchestrator supports only Elasticsearch version 5.5.2 as NLog supports only this version of Elasticsearch. However this version of Elasticsearch is pretty outdated and the latest stable version at the time of writing is 6.4. Organizations may want to install the latest versions of Elasticsearch instead of version 5.5.2, as Elasticsearch versions 6.0 and above incorporate many enhancements, bug fixes and security updates.

It is possible to send logs from Orchestrator to Elasticsearch 6.4 by using Filebeat. For this we configure Orchestrator to write logs to flat files and use Filebeat to extract the contents of the log files and store them in Elasticsearch indices.

The steps to configure Filebeat and Orchestrator are given below.

1. Install and configure Elasticsearch

Install Elasticsearch and configure it. Including SSL for encrypting communications and X-Pack for Security is recommended. Set up passwords for the built-in accounts if you have configured X-Pack Security and then start Elasticsearch service.

2. Install and configure Kibana

Install and configure Kibana to connect to the Elasticsearch instance. If using SSL, configure SSL settings. Start Kibana. If Security is configured go to step 3 else go to step 4.

3. Create Filebeat user

Login to Kibana and create a user named ‘filebeat’. Create a role named Filebeat and assign the below permissions.

Cluster Privileges -> monitor

Cluster Privileges -> manage_index_templates

Assign the role ‘Filebeat’ to the user ‘filebeat’.

4. Install Filebeat

Install Filebeat in the Application Servers. The steps to install Filebeat are given in Elasticsearch website here. Filebeat does not support UNC paths so it has to be installed in each Application Server. The installed Filebeat service will be in Stopped status. Let it remain stopped for the time being.

5. Configure Filebeat

To configure Filebeat we have to update the following sections in the filebeat.yml file which is available under the Config directory.

a. Filebeat Inputs -> Log Input

This section has the settings for the input which in our case is the log file written by the Orchestrator. Update the settings as given below.

enabled – set this to true to enable log file input

paths – the absolute path to the directory from where you want to read the log files

We will later configure the Orchestrator to write log messages in json format. So we need to add the below settings to enable Filebeat to read the json formatted log content*.

json.message_key – set this as message

json.keys_under_root – set this as true

b. Outputs -> Elasticsearch output

This section is used to enable Filebeat to connect to Elasticsearch and write the log messages to a specific index.

hosts – set the dns name or IP address of your Elasticsearch instance followed by port number, e.g.

protocolhttps if you are using ssl, else http .

username and password – set the user name and password you created in step 3 if you have set up X-Pack Security for Elasticsearch, else leave it commented.

index – the name of the Elasticsearch index you want to create and populate with log content. By default it will have the format "filebeat-%{[beat.version]}-%{+yyyy.MM.dd}". For example we can set it to “rpalog-%{+yyyy.MM.dd}" which creates indices with names such as ‘rpalog-2018.10.18’.

Also set the SSL settings if you have enabled SSL in Elasticsearch. Please refer this guide in Elasticsearch website for more details.

c. Template

You have to update this section if you have set a custom name for the index in the Elasticsearch Output section. – set the name of the index pattern e.g. “rpalog”

setup.template.pattern – set the index pattern e.g. "rpalog-*"

6. Start Filebeat

Start the Filebeat service. You can check if Filebeat started successfully by checking the log for errors. Logs will be written to %programdata%/filebeat/logs by default.

If Filebeat has started successfully and is able to connect to Elasticsearch, it will create an index template with the name specified in the Elasticsearch Output section of Filebeat Configuration. In our case the name of the template will be rpalog.

7. Assign additional permissions to Filebeat role

If you have set up X-Pack Security for Elasticsearch then you need to assign some additional permission to the Filebeat role which you created in step 3. Else proceed to step 8.

Login to Kibana, go to Management -> Security -> Roles and open the Filebeat role which we created in step 3. Update the permissions as follows.

Index Privileges -> Indices - enter rpalog* (or the name of your Filebeat index pattern).

Index Privileges -> Privileges – enter read, write, create, create_index, index, view_index_metadata .

Now Filebeat will be able to write logs to Elasticsearch.

8. Orchestrator Configuration

In order to configure the Orchestrator to write logs to flat files we need to update the NLog Configuration section in the Orchestrator configuration file.

Add the below target to the targets section of the Nlog configuration section. The absolute path mentioned here should be the same path that is mentioned in Filebeat configuration (see section 5a).

<target xsi:type="File" name="executionFile" fileName="<absolute path to log directory>/{shortdate}_Robot.log&quot; layout=&quot;{replace-newlines:${event-properties:item=rawMessage}}" concurrentWrites="true" />

Add the below rule as the first rule under the Rules section of the Nlog configuration section. If you still want to write to targets other than flat files set ‘final’ as ‘false’.

<logger name="Robot.*" minlevel="Trace" writeTo="executionFile" final="true" />

9. Final Checks

Restart Orchestrator and execute a test workflow. If the configuration was done correctly, the execution logs will be written to the log file. Filebeat will automatically extract the contents of the log file and write them to Elasticsearch index.

Login to Kibana and create the index pattern. Now the execution logs are available to view in Kibana.

*This was tested in Orchestrator versions 2016.2 and 2018.1 and Elasticsearch versions 6.2 and 6.4.
*You may need to purge the log files in Orchestrator log directory from time to time to release space, probably weekly.

*Sample Filebeat Configuration.pdf (63.0 KB)

Posted by Shanmugam Sudalaimuthu on 19 Oct 2018. The author is an RPA Consultant at HCL Technologies Ltd.


Hi Shan, thanks for the suggestion.

We are facing the same issue with not being able to send logs to Elastic 6.4 using NLog. Did you ever try to update the .dll for NLog try to and get it working using that kind of hack? have you recieved any response regarding a possible timeline when we can expect support for higher versions of elastic?

br mats

Hi Matsi, we didn’t want to take any risk in Production environment so we went for this approach. We have not got any timeline about the support.

Hi Shan,
Thank you for this, this is good information.

For what version of UiPath have you used this ElasticSearch workaround? The reason I ask is cause of my second question - do you know if the Elastic Search version limitation is fixed in the latest release 2018.3.1?

The website says yes, but just wanted to check with your experience.

The information on UiPath website says " ElasticSearch - 2.3 - 6.x Please note that support for versions 2.x of Elasticsearch has ended on their part."

Hi Ritesh, this was deployed in versions 2016.2 and 2018.1. We plan to use the same in future as it helps to decouple Orchestrator and Elasticsearch by removing the version dependency.

Thanks @Shan

Check out UiPath Dashboard for Kibana as a starting point for your own customized reporting. It also works with the Community Edition of UiPath.

Thanks for the nice tutorial. Works for me. But sadly the message field is just raw text.

How is it possible to split that field up into fields? So I’m just interested some fields:

  • message
  • level
  • initiatedBy

08:19:51.3649 Info {"message":"execution started","level":"Information","logType":"Default","timeStamp":"2020-08-14T08:19:51.3589813+02:00","fingerprint":"9b81sdg-9164-4e1e-8f99-af83ec524e20","windowsIdentity":"myname","machineName":"mypc","processName":"ABIM360","processVersion":"1.0.8","jobId":"b9sdf360f-050f-4ee6-aa5b-79b62438a342","robotName":"myrobotname","machineId":6,"organizationUnitId":1,"fileName":"Main","initiatedBy":"Studio"}

Or is this better done via filter in Kibana?

Hi kwoxer, Have you set values for json.message_key and json.keys_under_root to appropriate values as set in the sample filebeat.yml? Setting json.keys_under_root to true will copy keys to top level in Elasticsearch document. You can then choose the fields you need in Index Pattern in Kibana.