The Ultimate Guide to HAProxy Log Format

If you've ever had to debug an HAProxy setup, you know logs are your best friend. But let’s be honest—HAProxy logs can look like a cryptic mess at first glance.

That’s why this guide exists: to break down HAProxy log formats in a way that makes sense, so you can troubleshoot issues, optimize performance, and make your logs work for you instead of against you.

Why HAProxy Logging Matters

HAProxy logs give you a detailed breakdown of traffic flowing through your proxy. Whether you’re dealing with slow requests, failed backends, or just want to analyze user behavior, logs hold the answers. But to get real insights, you need to understand the format and how to customize it to your needs.

💡

For a deeper dive into different syslog formats and how they impact log management, check out our detailed guide on Syslog Formats.

HAProxy Log Formats Explained

By default, HAProxy logs use the HTTP log format, but you can customize them to include specific details like request time, response size, and backend performance. Let’s go over the most commonly used formats.

What Is the Default HTTP Log Format in HAProxy?

The default format looks something like this:

Feb 17 12:34:56 localhost haproxy[1234]: 192.168.1.1:54321 [17/Feb/2025:12:34:56.789] frontend_name backend_name/server_name 0/0/5/10/15 200 1234 - - ---- 1/1/1/1/0 0/0 "GET /index.html HTTP/1.1"

At first glance, that’s a lot to take in, so let’s break it down:

Timestamp: The date and time of the log entry.
Client IP & Port: The source of the request.
Frontend Name: The HAProxy frontend handling the request.
Backend & Server: The backend server responding to the request.
Timers: These numbers represent different processing times (queue, connect, response, etc.).
HTTP Status Code: The response code from the backend.
Bytes Sent: How much data was transferred.
Termination Flags: Indicators of how the request was processed.
Connections & Retries: A snapshot of HAProxy’s handling of connections.
HTTP Request: The actual request made by the client.

💡

To ensure efficient log storage and compliance, explore our guide on Log Retention Best Practices.

How to Customize HAProxy Log Format?

The default log format is useful, but sometimes you need more context. HAProxy allows you to define your own log format using the log-format directive in the configuration file.

Example: Adding Headers and Processing Time

log-format "%ci:%cp [%tr] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %ST %B %CC/%CS/%tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hrl %hsl %r"

This example includes additional details like request headers and queue times.

What Are HAProxy Log Levels and How to Manage Them?

Logging in HAProxy is not just about capturing data—it’s about categorizing and managing logs effectively to reduce noise and focus on important events. Below, we’ll explore the different log levels HAProxy provides and how to manage log volume efficiently.

HAProxy Log Levels and Their Severity

HAProxy categorizes log messages into different severity levels, helping you prioritize issues based on importance:

Emerg (0) – System is Unusable: Indicates a total system failure that requires immediate attention.
Alert (1) – Immediate Action Required: Something critical needs urgent intervention.
Crit (2) – Critical Conditions: Major failures that impact functionality but may not require immediate shutdown.
Err (3) – Error Messages That Need Attention: Issues that need to be fixed but may not be immediately critical.
Warning (4) – Potential Issues to Monitor: Conditions that might cause problems if left unchecked.
Notice (5) – Normal but Significant Events: Important system changes or behaviors that should be logged.
Info (6) – General Informational Messages: Routine system operations, connection details, and performance insights.
Debug (7) – Detailed Debugging Information: Used for in-depth troubleshooting, and capturing verbose logs.

Setting the right log level ensures that you capture only the necessary data while minimizing system overhead.

💡

Understand log severity and how to manage log levels effectively in our guide on Log Levels: Answers to the Most Common Questions.

Filter Logs by Setting Appropriate Log Levels

One of the easiest ways to reduce log noise and improve performance is by configuring HAProxy to log only essential information.

In the HAProxy configuration file, you can set the log level like this:

log stdout format raw local0 info

This ensures that only messages of level info (6) and higher (info, notice, warning, etc.) are logged, filtering out unnecessary debug logs in production.

Reduce Log Volume with Log Sampling Techniques

If your HAProxy instance handles high traffic, logging every request can overwhelm storage and processing resources. Log sampling allows you to log only a subset of requests.

For example, in HAProxy, you can sample only 1% of requests to avoid excessive logging:

option log-health-checks
http-request capture req.hdr(User-Agent) len 64

This ensures that only selective requests are logged, preventing log storage from growing uncontrollably.

Use Conditional Logging to Focus on Important Events

Rather than logging every request, you can configure HAProxy to log only specific events, such as errors or slow responses.

Example: Log only requests that take longer than 5 seconds to process:

acl slow_response req.hdr(X-Response-Time) -m gt 5000
http-request capture req.hdr(Host) len 64 if slow_response

This way, you can quickly identify performance issues without cluttering logs with unnecessary data.

Centralize and Analyze Logs with External Tools

For enterprise-level monitoring, relying solely on HAProxy’s built-in logging may not be enough. External log aggregators like ELK Stack, Last9, or Grafana Loki can:

Collect and centralize logs from multiple HAProxy instances.
Filter and analyze logs based on severity, source, or keywords.
Provide real-time monitoring dashboards to visualize traffic trends and detect anomalies.

For example, sending HAProxy logs to Last9 via Logstash enables deep search and indexing, making troubleshooting much easier.

💡

For a comprehensive guide on understanding and analyzing SSHD logs, check out SSHD Logs 101.

HAProxy Logging in Containerized Environments

Logging in containerized environments, especially for HAProxy, can be tricky because traditional logging methods—like syslog—don't always work well in a containerized setup.

Let's break down some best practices for handling HAProxy logs effectively.

1. Redirect Logs to Standard Output for Easy Collection

Most container platforms (like Docker and Kubernetes) are designed to collect logs from standard output (stdout) and standard error (stderr).

Instead of trying to write logs to files or using syslog inside the container, you can configure HAProxy to send logs directly to stdout using:

log stdout format raw

This makes life easier because the container runtime automatically captures the logs, and tools like kubectl logs or docker logs let you see them without extra setup.

2. Use a Centralized Logging System for Better Log Management

In a real-world production system, you don’t want to manually check logs on individual containers. Instead, you should use a centralized logging solution like Last9, Fluentd, Logstash, or Loki. These tools help by:

Collecting logs from all your HAProxy containers.
Processing and filtering logs for better readability.
Storing logs in a searchable database (e.g., Elasticsearch, Loki).
Providing visual dashboards for monitoring.

For example, in Kubernetes, you could use Fluentd to pull logs from containers and push them to Elasticsearch, making it easy to search and analyze them with Kibana.

💡

For real-time error detection and faster troubleshooting, check out our guide on How to Monitor Error Logs in Real Time.

3. Implement the Sidecar Pattern to Offload Log Processing

Instead of having HAProxy handle logging and forwarding logs by itself, you can run a separate logging container (a sidecar) alongside HAProxy. This approach has several advantages:

Keeps the HAProxy container lightweight and focused on traffic routing.
Prevents log collection from interfering with HAProxy’s performance.
Allows the logging container to send logs to a centralized service without modifying HAProxy.

In Kubernetes, you can define a sidecar container in the same pod that reads HAProxy’s logs and forwards them to a logging system like Last9 or Logstash.

4. Persist Logs Using Volumes or External Storage for Long-Term Analysis

Since containers are ephemeral (they can be stopped, restarted, or even replaced at any time), logs inside the container will be lost unless you store them somewhere permanently. There are two main ways to do this:

Mounting a persistent storage volume: Attach a storage volume where logs can be written and accessed even if the container restarts.
Using an external logging service: Send logs to a cloud-based logging solution (like AWS CloudWatch, Google Cloud Logging, or a self-hosted ELK stack).

For example, in Docker, you could persist logs with:

docker run -d --name haproxy -v /var/log/haproxy:/logs haproxy

Logging Best Practices

Use TCP or UDP Logging: HAProxy supports logging over syslog, so make sure logs are being captured correctly.
Rotate Logs: Prevent logs from filling up disk space by setting up log rotation.
Monitor Anomalies: Set up log analysis tools like Logstash or Grafana to catch unusual behavior in real-time.
Secure Log Transmission: Use TLS encryption when sending logs to remote servers to protect sensitive data.
Structure Logs for Easy Parsing: Configure HAProxy to use a JSON log format for better compatibility with log analysis tools.

Wrapping Up

HAProxy logs are a goldmine of information—if you know how to read them. Understanding the default log format and customizing it to fit your needs can help you unlock powerful insights and keep your proxy running smoothly. Have a specific log format you use? Share with us!

💡

And if you have more to discuss, join our community on Discord! We have a dedicated channel where you can share your specific use case and connect with other developers.

FAQs

What is the default log format in HAProxy?
The default HAProxy log format follows a structured format that includes timestamps, client IP, request details, response status, and timing metrics.
How can I customize the log format in HAProxy?
You can modify the log format using the log-format directive in the HAProxy configuration file to include or exclude specific request/response details.
Can HAProxy logs be formatted in JSON?
Yes, HAProxy supports JSON log formatting by using custom log-format directives, making it easier to parse logs with external tools.
How do I enable detailed logging for debugging purposes?
Set the log level to debug in your HAProxy configuration to capture more granular details about requests, connections, and internal processing.
What fields should I include in a custom log format for better analysis?
Common fields include client IP (%ci), request method (%HM), requested URL (%HP), response status (%ST), and response time (%TR).
How can I filter logs to capture only specific request types or errors?
Use conditional logging with ACLs in HAProxy to log only specific events, such as errors (%ST gt 499) or slow requests.
What external tools can I use to analyze HAProxy logs?
Popular log management tools like ELK Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, and Last9 help visualize and analyze HAProxy logs efficiently.