---
title: "Getting the most out of saltstack logs"
page_name: "Getting the Most Out of SaltStack Logs"
type: "blog"
slug: "getting-saltstack-logs"
published_at: "2016-09-30"
modified_at: "2026-01-30"
url: "https://www.sumologic.com/blog/getting-saltstack-logs"
canonical: "https://www.sumologic.com/blog/getting-saltstack-logs"
markdown_url: "https://www.sumologic.com/blog/getting-saltstack-logs.md"
lang: "en"
excerpt: "Learn about SaltStack log storage and customization, and how to analyze the logs with Sumo Logic to gain useful insights into your server configuration."
taxonomy_blog_category:
- "DevOps & IT Operations"
---
[ All blogs ](https://www.sumologic.com/blog "blog")[DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations)
# Getting the Most Out of SaltStack Logs
[Chris Tozzi](#blog-author-block-91)
September 30, 2016
3 min read
[DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations)
##### Table of contents
SaltStack, also known simply as Salt, is a handy configuration management platform. Written in Python, it’s open source and allows ITOps teams to define “Infrastructure as Code” in order to provision and orchestrate servers.
But SaltStack’s usefulness is not limited to configuration management. The platform also generates logs, and like all logs, that data can be a useful source of insight in all manner of ways.
This article provides an overview of SaltStack logging, as well as a primer on how to analyze SaltStack logs with Sumo Logic.
## Where does SaltStack store logs?
The first thing to understand is where SaltStack logs live. The answer to that question depends on where you choose to place them.
You can set the log location by editing your SaltStack configuration file on the salt-master. By default, this file should be located at /etc/salt/master on most Unix-like systems.
The variable you’ll want to edit is log\_file. If you want to store logs locally on the salt-master, you can simply set this to any location on the local file system, such as /var/log/salt/salt\_master.
## Storing Salt logs with rsyslogd
If you want to centralize logging across a cluster, however, you will benefit by using rsyslogd, a system logging tool for Unix-like systems. With rsyslogd, you can configure SaltStack to store logs either remotely or on the local file system.
For remote logging, set the log\_file parameter in the salt-master configuration file according to the format:
`
://:/.
`
For example, to connect to a server named mylogserver (whose name should be resolveable on your local network DNS, of course) via UDP on port 2099, you’d use a line like this one:
`
log_file: udp://mylogserver:2099
`
## Colorizing and bracketing your Salt logs
Another useful configuration option that SaltStack supports is custom colorization of console logs. This can make it easier to read the logs by separating high-priority events from less important ones.
To set colorization, you change the log\_fmt\_console parameter in the Salt configuration file. The colorization options available are:
`
'%(colorlevel)s' # log level name colorized by level
'%(colorname)s' # colorized module name
'%(colorprocess)s' # colorized process number
'%(colormsg)s' # log message colorized by level
`
Log files can’t be colorized. That would not be as useful, since the program you use to read the log file may not support color output, but they can be padded and bracketed to distinguish different event levels. The parameter you’ll set here is log\_fmt\_logfile and the options supported include:
`
'%(bracketlevel)s' # equivalent to [%(levelname)-8s]
'%(bracketname)s' # equivalent to [%(name)-17s]
'%(bracketprocess)s' # equivalent to [%(process)5s]
`
## How to Analyze SaltStack logs with Sumo Logic
So far, we’ve covered some handy things to know about configuring SaltStack logs. You’re likely also interested in how you can analyze the data in those logs. Here, Sumo Logic, which offers easy integration with SaltStack, is an excellent solution.
Sumo Logic has an official SaltStack formula, which is available from GitHub. To install it, you can use GitFS to make the formula available to your system, but the simpler approach (for my money, at least) is simply to clone the formula repository in order to save it locally. That way, changes to the formula won’t break your configuration. (The downside, of course, is that you also won’t automatically get updates to the formula, but you can always update your local clone of the repository if you want them.)
To set up the Sumo Logic formula, run these commands:
`
mkdir -p /srv/formulas # or wherever you want to save the formula
cd /srv/formulas
git clone https://github.com/saltstack-formulas/sumo-logic-formula.git
`
Then simply edit your configuration by adding the new directory to the file\_roots parameter, like so:
`
file_roots:
base:
- /srv/salt
- /srv/formulas/sumo-logic-formula
`
Restart your salt-master and you’re all set. You’ll now be able to analyze your SaltStack logs from Sumo Logic, along with any other logs you work with through the platform.
*Getting the Most Out of SaltStack Logs* is published by the [Sumo Logic DevOps Community](https://www.sumologic.com/devops/). If you’d like to learn more or contribute, visit [devops.sumologic.com](https://www.sumologic.com/devops/). Also, be sure to check out [Sumo Logic Developers](https://www.sumologic.com/github-projects/) for free tools and code that will enable you to monitor and troubleshoot applications from code to production.
## About the Author
Chris Tozzi has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO.
### Article Tags
- [DevOps & IT Operations](https://www.sumologic.com/blog/devops-it-operations)
Chris Tozzi
**Chris Tozzi** has worked as a journalist and Linux systems administrator. He has particular interests in open source, agile infrastructure, and networking. He is Senior Editor of content and a DevOps Analyst at Fixate IO. His latest book, [*For Fun and Profit: A History of the Free and Open Source Software Revolution*](https://mitpress.mit.edu/books/fun-and-profit), was published in 2017.
[](https://www.sumologic.com/feed "RSS Feed")[](https://twitter.com/intent/tweet?text=Getting%20the%20Most%20Out%20of%20SaltStack%20Logs&url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fgetting-saltstack-logs "X")[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fgetting-saltstack-logs "Facebook")[](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fwww.sumologic.com%2Fblog%2Fgetting-saltstack-logs "Linkedin")
[Previous blog
Setting Up a Docker Environment Using Docker Compose](https://www.sumologic.com/blog/setting-docker-environment-using-docker-compose)[Next blog
Managing Container Data Using Docker Data Volumes](https://www.sumologic.com/blog/managing-container-data-using-docker-data-volumes)
People who read this also enjoyed
[
Sumo Logic AWS Region European Sovereign Cloud is now generally available
June 2, 2026
](https://www.sumologic.com/blog/sumo-logic-aws-region-european-sovereign-cloud-generally-available)[
How to secure cloud workloads without building a full-scale SOC
April 30, 2026
](https://www.sumologic.com/blog/secure-cloud-workloads-with-limited-resources)[
Join operator and Query Agent for smarter log analysis
April 22, 2026
](https://www.sumologic.com/blog/using-the-join-operator)[
92% of security leaders say their SIEM is effective. 51% say it’s exceptional. What’s living in that gap?
April 16, 2026
](https://www.sumologic.com/blog/from-effective-to-exceptional-siem)
[AI Instructions](https://www.sumologic.com/ai-instructions.md)