Where does the node red log go to

I have managed to install node red on a ubuntu server and start it via systemd.

Where does the log go to and how can I set the file the log shall go to.
In specific I am looking for all logs on access attempts.

Assuming that you installed using the recommended method for ubuntu, by default it goes to syslog and to the journal, accessible using journaltcl, which is used by node-red-log.
To send it elsewhere I think you should be able to redirect stdout and stderr to a file in the systemd script.

yes, I installed according to the docu.

I have found some systemd start file at /lib/systemd/system/nodered.service

To be honest, I expected it somewhere under /etc/systemd/

I will check how to reroute stdout since I am not very much familiar with the syntax on systemd start-files.

Thanks for the hint!

To find where the script is you can run
sudo systemctl status nodered
The output includes where the script is.
I think you should just be able to add to the end of the ExecStart command in the script
>> full/path/to/outfile 2>&1
After editting the file you have to run
sudo systemctl daemon-reload
Then restart node-red using
I haven't tried redirecting the output, let us know if it works

No, that doesn't appear to work.

This is probably the right route.

To view the logs, use journalctl, see the docs for systemd for details.

By default, I believe that the journals are not persisted to disk but you can change that.

My custom startup is called nrmain so to see and follow the log, this works:

sudo journalctl -u nrmain -f -n 500  -o cat --no-hostname

This does work to redirect to a file if journalctl does not do what you want, add to the systemd script, after the ExecStart line


To use journalctl with the standard install use -u nodered

1 Like

If I am not wrong, journalctl catches entries of syslog. And with param -u nrmain you filter on one specific service.

Since NR logs to syslog already (I checked that) with service "Node-RED", I could filter syslog by this.

I think I will use syslog-ng to filter syslog and copy the lines to a separate file.

Beside this:
I have seen in syslog, that successfull logins are logged including the ip-address of origin.
Unfortunately not successfull login attempts don't contain the ip-address of origin.

My idea was to use fail2ban to check the logfile on unauthorized login attempts and ban the ip-address. Since the ip-address is not present in the log entry, I assume this aproach will fail.

I could do it with ufw, but as far as I know, allowed ip-addresses have to be set as ip-address, not as DNS-entry. Since I work with dyndns, fail2ban was the idea to use, since fail2ban uses dns-lookups and can allow access based on dns-names.

Bad luck for me! Will see what I can find out!

Assumes systemd > v240
On my Raspberry Pi I have v241.
systemctl --version

systemd 249 (249.11-0ubuntu3.10)

I confirm, this works for me!!!

Now I have the log-entries in a separate file. Will see how I can process it with fail2ban.

Thanks for help!

Might just be my setup but this is not the case on my server. Yes, the -u nrmain filters the systemd journal output to that single service. But in my case, the log does not go to syslog. I think that might be different with Dave's install script. I don't ever need to keep more than 24hrs worth of logs anyway so I've never bothered to change it. The whole of Node-RED is insanely stable anyway :slight_smile:

From an online question:

ForwardToSyslog= is documented in man journald.conf . It doesn't redirect logs to syslog , it copies the files there.

So if you don't have that in your Node-RED systemd startup script, the journal is not copied to syslog and not persisted to disk.

Personally, I would not do that with Node-RED itself since default installs of Node-RED are not very secure. I would use a reverse proxy to do logins and to record failures. With the added advantage that using fail2ban with a proxy (e.g. NGINX or whatever) is probably a standard config anyway.

If you use a proxy on the same device as Node-RED, you can ensure that there is NO access to Node-RED itself from outside the device. If the proxy is on a different device, you can limit Node-RED to only local and that 1 server. Either way, it is already more secure. Of course, you need HTTPS as well but that can be also delivered by the proxy.

It must be a bit more subtle than that, as the standard nodered.service does not have that line. It seems that on Ubuntu 22.04 that is the default systemwide setting, at least according to /etc/systemd/journald.conf which says that ForwardToSyslog default is yes.

I agree that @khfischbach would be better to do what he is trying to achieve by using a reverse proxy.

OK, I use Debian so probably different.

fail2ban would be sufficient, if node red would log the ip-address of a non-successfull login attempt. But it does not. I already have placed a feature request which was answered that this is already in the backlog.

In the meantime I would need to implement a proxy like nginx, which will log the ip-address of login attempts (I already have such implementations on a local server). Then I can catch this with fail2ban to block it.

I wanted to go the easy way - but - I will start implementing it.

what is the root for the nginx setup?

root /var/www/html; ???

If you want to log unsuccesful logins, won't that be a matter of adding a console.log somewhere in the settings.js:

    settings.adminAuth = {
      type: "credentials",
      users: function(username) {
        if (process.env.NODE_RED_USERNAME == username) {
          return when.resolve({username:username,permissions:"*"});
        } else {
/*** console.log ... ***/
          return when.resolve(null);
      authenticate: function(username, password) {
        if (process.env.NODE_RED_USERNAME == username &&
            process.env.NODE_RED_PASSWORD == password) {
          return when.resolve({username:username,permissions:"*"});
        } else {
/*** console.log unsuccessful login attempt -- hm, how to get at the ip? ***/
          return when.resolve(null);

sorry if this isn't relevant for your setup, it would be for mine!

thanks for that example. I will keep it in mind.

Anyhow. Node Red already logs the non-successfull login attempts. But the ip-address where it comes from is missing.
And if I understand your example right, it wouldn't bring the ip-address either - not sure - as I am not a very best programmer.

Stick with using NGINX, plenty of examples for configuration of logins on the Internet.