The application logging is by default displaying informative messages for monitoring and statistic purposes.
SignServer provides three mechanisms for observability in a Kubernetes deployment: application logs, a health check endpoint, and Kubernetes liveness and readiness probes. This page explains how each works and how to configure them.
For an overview of all available deployment parameters, see SignServer Helm Deployment Parameters.
Application Logging
Log Levels
SignServer has two separate log level controls: one for the SignServer application itself, and one for the underlying WildFly application server.
|
Parameter |
Default |
What it controls |
|---|---|---|
|
|
|
SignServer application log level. Controls signing operation logs, worker events, audit events, and application errors. |
|
|
- |
Log level specifically for Web Service transaction logging. Set independently if you need verbose WS logging without raising the overall app log level. |
|
|
|
WildFly application server log level for the main system. |
|
|
|
WildFly log level for subsystems (JBoss modules, connectors, etc.). |
Valid values for all levels: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, OFF.
Default log level: LOG_LEVEL_APP defaults to DEBUG, which is verbose. For production deployments consider setting it to INFO to reduce log volume and make significant events easier to spot. Set it to DEBUG temporarily when troubleshooting.
Configure in your values.yaml:
signserver:
env:
LOG_LEVEL_APP: INFO
LOG_LEVEL_SERVER: INFO
LOG_LEVEL_SERVER_SUBSYSTEMS: WARN
Saving Logs to Files
By default, SignServer logs are written to stdout and captured by the Kubernetes logging infrastructure. To also save logs to files, configure the storage location and size limit:
|
Parameter |
Default |
Description |
|---|---|---|
|
|
- |
Path inside the container where log files are written. Must be a writable directory. Leave empty to log to stdout only. |
|
|
|
Maximum total size of log files in MB before rotation. Minimum: |
signserver:
env:
LOG_STORAGE_LOCATION: /opt/signserver/logs
LOG_STORAGE_MAX_SIZE_MB: 512
volumeMounts:
- name: log-storage
mountPath: /opt/signserver/logs
volumes:
- name: log-storage
emptyDir: {}
To persist logs across pod restarts, replace emptyDir with a PersistentVolumeClaim.
Audit Logging
SignServer maintains an internal audit log of all signing operations and administrative actions. By default this is written to the database.
|
Parameter |
Default |
Description |
|---|---|---|
|
|
|
When |
signserver:
env:
LOG_AUDIT_TO_DB: true
Disabling database audit logging means signing events are not queryable through the SignServer Admin Web audit log viewer. Only disable this if you have an alternative audit trail in place.
Health Check
SignServer exposes a health check endpoint that reports whether the application is running and operational. It is useful for load balancers, cluster management, and external monitoring tools.
Health Check URL:
http://<host>:8080/signserver/healthcheck/signserverhealth
A healthy response returns HTTP 200 with a plain text body:
ALLOK
An unhealthy response returns HTTP 500 with a description of the problem, for example:
ERROR: Error reading configuration.
The health check verifies:
-
The SignServer application has started successfully
-
The database connection is available
-
Crypto Tokens marked for auto-activation have activated
The health check is available on the unencrypted HTTP port (8080) even when HTTPS is enforced for all other traffic. This makes it accessible to internal cluster components without certificate configuration.
Kubernetes Probes
Kubernetes uses three probe types to manage the SignServer pod lifecycle. All three are backed by the health check endpoint above and are pre-configured in the Helm chart with sensible defaults.
|
Probe |
Default configuration |
Purpose |
|---|---|---|
|
Startup |
|
Gives SignServer up to 5 minutes ( |
|
Liveness |
|
Restarts the pod if SignServer stops responding, indicating a crash or unrecoverable error. |
|
Readiness |
|
Removes the pod from the load balancer's rotation if it is not yet ready to serve traffic. Unlike liveness, a failing readiness probe does not restart the pod. |
Override the defaults in your values.yaml if your environment requires different timing:
probes:
signserver:
startup:
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 60
liveness:
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 3
readiness:
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 3
Timezone
Log timestamps use the timezone of the container, which defaults to UTC. To use a different timezone, set the TZ environment variable:
signserver:
env:
TZ: Europe/Stockholm
Using UTC for container logs is generally recommended.