Blockchain nodes generate a continuous stream of log data, recording everything from successful block synchronization and peer connections to critical errors and performance warnings. For operators, these logs are the primary diagnostic tool. Whether you're running an Ethereum Geth client, a Solana validator, or a Cosmos full node, understanding how to access and parse these logs is essential for ensuring node health, diagnosing consensus issues, and responding to security events in real-time. Logs are typically written to stdout/stderr or dedicated log files, with verbosity controlled by command-line flags.
LABS
Guides
How to Manage Node Logs
A technical guide for developers on configuring, monitoring, and troubleshooting logs for blockchain nodes like Geth, Erigon, Solana, and Cosmos SDK.
Chainscore © 2026
introduction
OPERATIONS
Introduction to Node Log Management
Effective log management is critical for maintaining, debugging, and securing blockchain nodes. This guide covers the fundamentals of accessing, interpreting, and managing your node's log output.
The structure and verbosity of logs are determined by the client's logging level. Common levels include ERROR, WARN, INFO, DEBUG, and TRACE. For day-to-day operations, INFO is standard, providing a balance of useful data without excessive noise. When troubleshooting, you can increase verbosity to DEBUG to see granular details of peer interactions or state transitions. It's crucial to know your client's specific flags; for example, Geth uses --verbosity, while Prysm uses --log-level. Managing disk space is also a key consideration, as debug-level logging can generate gigabytes of data daily.
To effectively monitor logs, you need the right tools. Basic tail -f commands are useful for real-time observation. For more powerful searching and filtering, tools like grep, awk, and jq (for JSON-formatted logs) are indispensable. For instance, to find all peer connection errors in a Geth log, you might run grep -i "peer\|dial" node.log. For production systems, consider log aggregation solutions like the ELK Stack (Elasticsearch, Logstash, Kibana), Loki, or Datadog. These platforms allow you to centralize logs from multiple nodes, create dashboards, and set up alerts for specific error patterns or performance thresholds.
Beyond real-time monitoring, logs are vital for forensic analysis after an incident. If your node misses attestations, gets slashed, or experiences an unexpected fork, the logs contain the timeline. You should regularly archive and rotate logs to prevent disk exhaustion. Implement log rotation using tools like logrotate to compress old files and delete outdated data based on size or age. A best practice is to forward critical logs to a secure, external system. This ensures you have an immutable audit trail even if the node's local storage is compromised or fails, enabling complete post-mortem analysis.
Finally, integrate log management into your operational playbook. Define clear procedures for common scenarios: what to search for during synchronization stalls, how to identify malicious peer behavior, and which log lines trigger immediate alerts. Document the meaning of common but cryptic error messages specific to your client. By treating logs as a first-class operational data source, you transform from reactive troubleshooting to proactive node management, significantly improving uptime and security for your blockchain infrastructure.
prerequisites
PREREQUISITES AND SETUP
How to Manage Node Logs
Effective log management is essential for monitoring node health, debugging issues, and maintaining a reliable blockchain infrastructure. This guide covers the core concepts and practical commands for handling logs from clients like Geth, Erigon, and Nethermind.
Blockchain node logs are the primary source of truth for your node's operational status. They record everything from successful block synchronization and peer connections to critical errors and performance warnings. By default, most clients output logs to the standard output (stdout) or a dedicated log file. The verbosity of these logs is controlled by log levels, typically ranging from ERROR and WARN for critical issues to INFO and DEBUG for detailed operational tracing. Understanding how to configure and access these logs is the first step in proactive node management.
To effectively manage logs, you must know how to control their output. For Geth, use the --verbosity flag followed by an integer (0-5) to set the detail level, where 5 is the most verbose. You can redirect this output to a file using standard shell redirection: geth --verbosity 3 2>&1 | tee geth.log. For Erigon, the --log.console.verbosity flag serves a similar purpose, and you can specify a log directory with --log.dir.path. Nethermind uses a JSON configuration file where you can define multiple log rules, outputs (like console, file, or Seq), and levels for different components, offering granular control.
Once logs are being captured, you need tools to analyze them. The tail command is indispensable for real-time monitoring; use tail -f /path/to/geth.log to watch new entries as they appear. For historical analysis, grep allows you to filter logs. For example, grep -E "ERROR|WARN" /var/log/nethermind.log quickly surfaces potential problems. For more complex parsing, especially with JSON-formatted logs from clients like Nethermind, consider using a tool like jq. A command like cat log.json | jq '. | select(.level == "Error")' can extract and format specific error entries efficiently.
For long-term node operation, implement log rotation to prevent log files from consuming all available disk space. The logrotate utility on Linux systems is the standard solution. You can create a configuration file (e.g., /etc/logrotate.d/geth) to define rotation schedules, compression, and retention policies. A basic configuration might rotate logs daily, keep 7 days of archives, and compress old files. Without rotation, a continuously running node can generate gigabytes of log data, leading to storage issues and making it difficult to find relevant information in a single, massive file.
In production environments, consider forwarding your logs to a centralized monitoring system. Solutions like the ELK Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, or Datadog allow you to aggregate logs from multiple nodes, create dashboards, and set up alerts based on specific log patterns (e.g., alerting on repeated "P2P networking error" messages). This approach transforms raw log data into actionable insights, enabling you to track node performance across a network and identify systemic issues before they cause downtime.
log-basics
OPERATIONS
Understanding Node Log Output
A guide to interpreting and managing the log output from blockchain nodes for effective monitoring and debugging.
Blockchain node logs are the primary source of truth for a node's health and activity. They provide a real-time, chronological record of events, from successful block synchronization to critical errors and peer connections. Unlike a simple console output, these logs are structured streams of data written to files like stdout or dedicated log files (e.g., node.log). Understanding this output is essential for diagnosing issues, monitoring performance, and ensuring your node is participating correctly in the network. Key information includes block heights, peer IDs, consensus messages, and resource usage metrics.
Log verbosity is controlled by log levels, which filter the detail of messages written. Common levels are ERROR, WARN, INFO, DEBUG, and TRACE. An INFO level is standard for daily operations, showing block imports and peer counts. For debugging a stalled sync or a connectivity issue, you would increase the level to DEBUG to see granular network handshake details or state transitions. Setting the level is typically done via a command-line flag (e.g., --log-level=debug) or a configuration file. Managing this effectively prevents log files from becoming unmanageably large while ensuring you capture necessary data.
To effectively parse logs, you need to know common patterns. A healthy log line for an Ethereum execution client like Geth might look like: INFO [05-15|10:30:45.321] Imported new chain segment blocks=1 txs=15 mgas=1.2 elapsed=125.456ms. This tells you a block was processed, the number of transactions, gas used, and how long it took. Warning messages often precede issues, such as WARN [05-15|10:31:00.000] Snapshot extension registration failed. Error messages require immediate attention, like ERROR [05-15|10:32:10.500] Failed to dial peer, indicating network problems. Using tools like grep to filter for these keywords (ERROR, WARN, Imported) is a fundamental skill.
For long-term node management, writing logs to rotating files is crucial. Directing output to a file with >> node.log 2>&1 captures both standard output and errors. However, without rotation, this file can consume all disk space. Use a log rotation tool like logrotate to automatically archive, compress, and delete old logs based on size or time. A basic logrotate configuration for a Geth node might compress weekly logs older than a month and keep four archived copies. This maintains a manageable history for audits without manual intervention. For advanced analysis, you can pipe logs to systems like the ELK stack (Elasticsearch, Logstash, Kibana) for searchable, visual dashboards.
When troubleshooting, a systematic approach using logs is key. First, check the latest errors with tail -n 100 node.log | grep -A 5 -B 5 ERROR. If the node is stuck, increase the log level to DEBUG and restart, then monitor for messages about syncing, peers, or consensus. Comparing your node's latest block height in the logs (Imported new chain segment) against a block explorer will confirm sync status. For consensus clients like Prysm or Lighthouse, watch for attestation and proposal logs. If logs indicate persistent peer connection failures, the issue may be with your network's firewall settings or your node's --max-peers configuration. Always document the timestamp and exact error message when seeking help from community forums or documentation.
monitoring-techniques
NODE OPERATIONS
Real-Time Log Monitoring Techniques
A practical guide to implementing effective log monitoring for blockchain nodes, covering essential tools, techniques, and best practices for maintaining system health.
Real-time log monitoring is a critical operational practice for node operators, enabling the immediate detection of errors, performance bottlenecks, and security threats. Unlike static log files, real-time streams provide a live feed of system events, allowing for proactive intervention. For blockchain nodes, this is essential for catching consensus failures, peer connection issues, or smart contract execution errors as they happen. Tools like journalctl for systemd-based nodes or the --log-dir flag in Geth and Erigon are foundational for accessing these streams. The primary goal is to transform raw, high-volume log data into actionable alerts and dashboards.
To implement an effective monitoring pipeline, you must first configure your node's logging output. Most clients support different verbosity levels; for example, Geth uses --verbosity with levels from 1 (errors) to 5 (debug). For production, a level of 3 (info) is typically sufficient. It's crucial to structure logs in a machine-readable format like JSON (--log.json in Geth) to simplify parsing. You can then pipe this output to a monitoring agent. A common setup involves using tail -F to follow a log file and stream its contents to a processing tool like Fluentd, Vector, or Logstash, which can filter, enrich, and forward logs to a central system.
The next step is aggregating and visualizing log data. Centralized platforms like Loki, Elastic Stack (ELK), or Datadog are industry standards. For a lightweight, open-source approach, the Grafana Loki stack is particularly well-suited for node operators. You deploy Promtail as an agent to scrape and label logs from your node, send them to a Loki instance for indexing, and then query and create dashboards in Grafana. This setup allows you to create alerts for specific log patterns, such as a sudden spike in "WARN" messages or the appearance of "Out of memory" errors, directly notifying your team via Slack, PagerDuty, or email.
Creating meaningful alerts requires defining precise log queries. In a Loki-based system, you use LogQL to filter streams. For instance, to alert on potential chain reorganizations in an Ethereum execution client, you might query for logs containing "reorg" or "chain reorganised". For consensus clients like Lighthouse or Prysm, monitoring for "slashable" events or attestation failures is critical. Your alerting rules should be tested to avoid noise; start with broad patterns and refine them based on observed false positives. Effective monitoring is not just about collecting logs but creating a hierarchy of alerts that distinguish between critical failures requiring immediate action and informational messages for later review.
Finally, integrate log monitoring with broader observability practices. Correlate log events with metrics (e.g., CPU usage from Prometheus) and distributed traces for a complete picture. For example, a log entry about slow block import can be cross-referenced with a metric showing high disk I/O latency. Automate responses where possible using tools like PagerDutys automation rules or custom scripts that can restart a stalled process. Document your monitoring setup and runbooks so any team member can respond to an alert. Regularly review and prune old log data to manage storage costs, and periodically test your entire alerting pipeline to ensure reliability.
CONFIGURATION
Log Level Comparison Across Node Clients
A comparison of log level flags, default settings, and verbosity control for major Ethereum execution and consensus clients.
| Log Level / Feature | Geth | Nethermind | Besu | Lighthouse |
|---|---|---|---|---|
Default Verbosity | 3 | INFO | INFO | INFO |
Flag for Debug Logs | --verbosity 5 | --log debug | --logging=DEBUG | --debug-level debug |
Flag for Trace Logs | --verbosity 6 | --log trace | --logging=TRACE | --debug-level trace |
Flag for Minimal Logs | --verbosity 1 | --log error | --logging=ERROR | --debug-level info |
Dynamic Level Change | ||||
Per-Module Filtering | ||||
JSON Log Output | --log.json | --JsonRpc.Enabled true | --logging=JSON | --logfile-format JSON |
Disk Usage (Debug, GB/day) | ~15-20 | ~10-15 | ~12-18 | ~8-12 |
log-rotation-retention
NODE OPERATIONS
Implementing Log Rotation and Retention
A guide to managing blockchain node log files to prevent disk overflow and maintain audit trails for debugging and compliance.
Blockchain nodes like Geth, Erigon, or Besu generate continuous log output, which can quickly consume disk space—often hundreds of gigabytes if left unchecked. Unmanaged logs can fill a partition, causing the node to crash. Log rotation is the automated process of archiving the current log file and starting a new one at a set interval or size. Log retention defines a policy for how long these archived logs are kept before being deleted. Implementing these practices is essential for node stability and operational hygiene.
The most common and robust method for log rotation is using the logrotate utility on Linux systems. It's a daemon that can be configured via files in /etc/logrotate.d/. A basic configuration for an Ethereum Geth node might look like this, saved as /etc/logrotate.d/geth:
code/var/log/geth.log { daily rotate 7 compress delaycompress missingok notifempty create 644 root root postrotate /usr/bin/systemctl kill -s USR1 geth.service endscript }
This config rotates the log daily, keeps 7 archived copies, compresses old files, and sends a signal to the Geth service to reopen its log file handle.
For retention, the rotate directive is key. rotate 7 keeps one week of logs. For longer audit trails, you might use rotate 30. For size-based rotation, use size 100M instead of daily. It's critical to pair rotation with the postrotate script that signals your node process; without it, the node may continue writing to the deleted file. Alternatives to logrotate include using Docker's built-in logging drivers (json-file with max-size and max-file options) or configuring logging directly within your process using libraries like lumberjack in Go.
Beyond basic rotation, consider log severity levels. Running a node with --verbosity 3 (default) is sufficient for most operations. Higher verbosity (--verbosity 5 for debug) creates vastly larger logs and should only be used temporarily. Structure your logs for analysis by using JSON-formatted output (e.g., Geth's --log.json flag), which allows you to pipe logs to systems like Loki or Elasticsearch for centralized monitoring and more sophisticated retention policies based on log content, not just age.
tools-resources
NODE MANAGEMENT
Tools and External Resources
Essential tools and concepts for effectively monitoring, parsing, and managing your blockchain node's log output.
03
Structured Logging with JSON Output
Many node clients support JSON-structured logging, which is essential for automated parsing and analysis. For example, launch Geth with --log.json or Besu with --logging=DEBUG. This outputs each log entry as a JSON object with fields like level, msg, time, and peer. You can then pipe logs to tools like jq for filtering: tail -f node.log | jq 'select(.level == "ERROR")'. This is critical for building monitoring alerts and dashboards.
Geth, Besu, Nethermind
Clients Supporting JSON Logs
05
Parsing and Filtering with grep, awk, and jq
Command-line tools are indispensable for quick log analysis. Use grep to find specific patterns (e.g., grep "Imported new chain segment"). Use awk to extract columns or calculate summaries (e.g., awk '/Block/ {count++} END {print count}'). Use jq to process JSON logs, enabling complex filtering and transformation. Combining these in pipes allows for powerful one-liners to diagnose issues like sync problems or peer connection errors without dedicated software.
grep, awk, jq
Core CLI Tools
conclusion-next-steps
NODE MANAGEMENT
Conclusion and Next Steps
Effective log management is a critical, ongoing responsibility for node operators. This guide has covered the core principles and tools. Here's how to solidify your practice and explore advanced techniques.
You should now have a functional system for monitoring your node's health through its logs. The key takeaways are: using journalctl for system-level logs and your client's specific log files (like geth.log or lighthouse.log) for application details, implementing log rotation with logrotate to prevent disk exhaustion, and setting up basic alerts for critical errors. Consistently reviewing logs is the most effective way to catch issues like sync problems, peer connection drops, or consensus failures before they impact your node's performance or rewards.
To build on this foundation, consider implementing a centralized logging stack. Tools like the ELK Stack (Elasticsearch, Logstash, Kibana) or Grafana Loki allow you to aggregate logs from multiple nodes, create sophisticated dashboards, and set up powerful alerting rules. For example, you could configure an alert that triggers if the string "WARN" appears more than 10 times in a minute or if the log stream stops entirely, indicating a potential crash. This moves you from reactive troubleshooting to proactive system monitoring.
Your next steps should be protocol-specific. Dive into your client's documentation to understand its unique log levels and message formats. For an Ethereum execution client like Geth, learn to identify logs related to syncing, txpool, and chain head. For a consensus client like Prysm, track attestation inclusion and block proposal success. Configure your log verbosity appropriately—higher levels (-vvv) for debugging and lower levels for production. Finally, join your client's community Discord or forum; discussing log entries with other operators is an invaluable way to quickly diagnose obscure issues.