ActiveMQ Log Analysis & Diagnostics: The Expert Guide

meshIQ July 14, 2026

Senior engineers who are fast at diagnosing ActiveMQ incidents share one trait: they know exactly what they are looking for in the broker log before they open it. They know the PFC signature, the OOM warning pattern, the journal recovery sequence, and the connection drop format. For them, the log is not text to search through, it is a structured operational record that maps each entry to a specific broker state.

This guide builds that map. We cover ActiveMQ log analysis and diagnostics end-to-end: the log anatomy (how to read any log entry), the 10 critical log signatures for the most common operational events, production log4j2 configuration for Apache ActiveMQ® and Apache Artemis™, audit logging for compliance environments, GC log correlation, and log aggregation integration.

The ActiveMQ Log Format: Anatomy of a Log Entry

Apache ActiveMQ® Log Format

Apache ActiveMQ® produces pipe-separated log entries:

FieldExampleWhat It Tells You
Timestamp2026-04-04 02:13:47,215Correlate with application events, GC pauses
LevelWARNSeverity: TRACE < DEBUG < INFO < WARN < ERROR < FATAL
MessageStopping producer…The event description — the primary diagnostic content
Logger classorg.apache.activemq.broker.region.BaseDestinationWhich broker component generated the entry
Thread nameActiveMQ BrokerThe broker thread — identifies context (IO thread, checkpoint worker, etc.)

Apache Artemis™ Log Format

Artemis uses space-separated fields and AMQ message codes:

The AMQ message codes (AMQ2XXXXX) are numeric identifiers for specific broker events that can be used as search terms in aggregation systems regardless of message text changes across versions.

Log Files Location Reference

ProductPrimary LogAudit LogConfig File
Apache ActiveMQ® 5.17.0+data/activemq.logdata/audit.logconf/log4j2.properties
Apache ActiveMQ® 5.16.xdata/activemq.logdata/audit.logconf/log4j.properties (reload4j)
Apache Artemis™log/artemis.loglog/audit.logetc/log4j2.properties

Production Log4j2 Configuration

The default log4j2 configuration that ships with ActiveMQ is serviceable for development but needs adjustment for production: rolling file size management, appropriate retention, and structured output for log aggregation.

Apache ActiveMQ®: conf/log4j2.properties

Apache Artemis™: etc/log4j2.properties

Hot-reload: the monitorInterval=30 setting causes Log4j2 to re-read the configuration file every 30 seconds. To raise a logger to DEBUG for a targeted troubleshooting session, edit the *.level line, save the file, and wait 30 seconds; no broker restart is required. This is the correct procedure for production troubleshooting with minimal disruption.

10 Critical Log Signatures: The Diagnostic Reference

These are the log entries that matter most for operational diagnosis. Recognizing them immediately without searching through documentation is what separates fast incident response from slow.

Signature 1: Producer Flow Control (PFC) Activated

What it means: A resource limit (store/temp/memory) has been reached. The producer is blocked. The blocking for time tells you how long this has been active. If this is >5 minutes, it is an active incident.

Action: Read the resource type from Usage(default:TYPE:…). Match to the PFC decision matrix in our Producer Flow Control Troubleshooting guide. If blocking for is growing, the resource is not clearing.

Signature 2: Broker Startup Complete

What it means: Normal startup complete. Note the broker ID (ID:app-server-1-…). This changes on each restart and is used in PFC log entries to identify which producer is blocked. Confirm all expected connectors appear in the log, a missing Connector mqtt started line means the MQTT transport failed to bind its port.

Signature 3: KahaDB Journal Recovery on Startup

What it means: Normal behavior after an unclean shutdown (power loss, OOM kill, SIGKILL). The broker is replaying journal records to rebuild the in-memory state. The time shown is the RTO for this startup event. If this takes longer than expected for your data volume, investigate the KahaDB index cache size (indexCacheSize) and consider whether journal files have grown unexpectedly.

Concerning variant:

This means some journal records were skipped due to corruption. See our Backup and Disaster Recovery post for the recovery procedure.

Signature 4: OutOfMemoryError – Heap Space

What it means: The JVM heap is exhausted. If the broker configured -XX:+HeapDumpOnOutOfMemoryError, a heap dump file will have been written to the configured path. The broker will likely crash or become unresponsive.

Before the crash look for this warning sequence that often precedes the OOM:

This WARN is the early-warning signal. Configure a log-based alert on this pattern, and you can act before the OOM occurs. We covered the three OOM types and their fixes in our JVM Memory & GC Tuning guide.

Signature 5: Transport Connection Drop / Client Disconnect

What it means: A client connection dropped unexpectedly (not a clean close()). This is normal for transient network events. 

Concerning pattern: the same client IP appearing repeatedly in rapid succession indicates a client that is crashing and reconnecting in a loop, or a network path with instability.

Distinct from clean disconnect:

A clean connector stop is an INFO, not WARN. A transport failure is always WARN or ERROR.

Signature 6: Inactive Connection Cleanup

What it means: A TCP connection has been idle for 10 minutes (600,000ms is the default inactivity timeout) and has been cleaned up by the broker. This is normal behavior, the broker automatically removes dead connections to reclaim resources. Seeing this frequently for the same client IP indicates a client that is not keeping its connection alive and may need to configure connection factory heartbeats.

Signature 7: KahaDB Corruption Detected

What it means: The KahaDB journal contains corrupt records. The broker may or may not start depending on configuration. The sequence of INFO | Corrupt journal records found followed by ERROR | Failed to start means checkForCorruptJournalFiles=true is working as intended, it detected and stopped rather than silently discarding data.

Signature 8: GC Overhead Limit / OOM GC Overhead

What it means: The JVM is spending >98% of time on garbage collection but recovering <2% of heap. The heap is permanently saturated. This is distinct from Java heap space OOM, the GC overhead limit indicates the heap is full AND the GC cannot reclaim it, typically because everything in the heap is live (slow consumer message accumulation, memory leak). This is the type that benefits most from enabling checkForCorruptJournalFiles=true + PFC configuration rather than simply increasing the heap.

Signature 9: Network of Brokers / Bridge Connection Loss

What it means: A network connector to a remote broker has failed. The NoB bridge is down. Depending on your topology, this may affect message routing across brokers. The WARN will repeat at the reconnect interval, frequent repetition is expected while the remote broker is unavailable.

Signature 10: Apache Artemis™ Critical Analyzer: Thread Unresponsive

What it means: Apache Artemis™’s built-in Critical Analyzer has detected that a broker component has stopped responding. The broker will generate a thread dump (AMQ222199) and then either kill the JVM (KILL policy) or shut down (SHUTDOWN policy) depending on critical-analyzer-policy in broker.xml. This is a self-protection mechanism against deadlocks and I/O freezes. The thread dump in the log is the primary diagnostic artifact, look for threads in BLOCKED state holding locks needed by other threads.

Critical Log Signatures Reference Table

SignatureLevelKey StringMeaningUrgency
PFC ActivatedINFOStopping producerResource limit hitHigh if blocking for > 5min
Broker StartedINFOApache ActiveMQ … startedNormal startupInformational
Journal RecoveryINFORecovering from the journalNormal post-crashWatch recovery time
OOM — Heap SpaceERROROutOfMemoryError: Java heap spaceHeap exhaustedCritical
Connection DropWARNTransport Connection to: … failedClient disconnectedMedium (high if repeated)
Inactive CleanupINFOInactive for longer than 600000 msNormal cleanupInformational
KahaDB CorruptionINFO+ERRORCorrupt journal records foundJournal corruptedCritical
OOM — GC OverheadERRORGC overhead limit exceededHeap permanently fullCritical
NoB Bridge DownWARNFailed to create network connectionCross-broker path lostHigh
Critical AnalyzerWARN+ERRORAMQ224081 / AMQ224079Apache Artemis™ component frozenCritical

Audit Logging: Compliance and Security Investigation

Audit logging records management operations – queue creation/deletion, purges, authentication events, and message operations to a separate audit.log file. It is disabled by default and must be explicitly enabled.

Apache ActiveMQ® Audit Logging

Enable via system property in bin/env:

Each entry captures: username (or “anonymous”), the operation (HTTP endpoint or JMX method name), parameters, and the client IP. This provides a complete management audit trail for compliance purposes.

Apache Artemis™ Audit Logging

Enable in etc/log4j2.properties by changing logger levels from OFF to INFO:

# Enable audit logging for all three audit loggers
logger.audit_base.level = INFO     # JMX operations: queue create/delete/purge
logger.audit_resource.level = INFO # Auth: login success/failure, queue changes via console
logger.audit_message.level = INFO  # Message ops: produce, consume, browse

Apache Artemis™ audit log entries:

2026-04-04 14:30:00,841 INFO  [org.apache.activemq.audit.resource]
      User admin@192.168.1.10 is creating a queue on target: orders.main
      notification: CREATE_QUEUE

2026-04-04 14:31:15,223 INFO  [org.apache.activemq.audit.message]
     User svc-consumer@10.0.1.25 is consuming a message from orders.main
     with messageID=…

We covered the security implications of audit logging, including which audit events are relevant for HIPAA, PCI-DSS, and SOC 2 compliance requirements in our Security Hardening Guide post. The key point: enabling audit.message on high-throughput queues generates extremely high log volume. For compliance, selectively enable it only on the queues and addresses that contain regulated data.

Are Your ActiveMQ Logs Telling You Everything They Should?

Most ActiveMQ deployments run with a default logging configuration – rolling files too small, no audit log, no GC log correlation, no aggregation. meshIQ’s team reviews logging and observability configurations and can identify gaps that are leaving critical operational signals uncaptured.

Request a Logging Review

GC Log Correlation: Connecting JVM Events to Broker Behavior

The broker log and the GC log are two independent observability streams that must be analyzed together to diagnose latency incidents. A message delivery gap in the broker log may be caused by either a broker-level resource event (PFC, slow consumer) or a JVM-level GC stop-the-world pause. Without GC log correlation, these two root causes are indistinguishable from the broker log alone.

Scenario: a consumer application reports 500ms message delivery gaps at irregular intervals. The broker log shows no PFC events during those times. The GC log shows:

2026-04-04 02:13:47.110 [5.892s][info][gc] GC(12) Pause Full (G1 Compaction Pause)
2026-04-04 02:13:47.621 [5.892s][info][gc] GC(12) Pause Full (G1 Compaction Pause) 511ms

511ms at exactly the timestamp of the consumer-reported gap. The root cause was a G1GC full GC event, not a broker resource issue. The fix is GC tuning, not broker configuration.

How to correlate:

# Find all GC pause events in GC log with duration > 100ms
grep “Pause Full” /opt/activemq/data/gc.log | awk -F’ms’ ‘$1>100’

# Find all PFC events in broker log
grep “Stopping producer” /opt/activemq/data/activemq.log

# Cross-correlate timestamps (within 1-second window)
# If PFC events and GC events share timestamps → GC caused the resource pressure
# If only GC events match → GC pause is the root cause

The -Xlog:gc*:file=… configuration recommended there produces GC logs whose timestamp format is compatible with the broker log for direct correlation.

Log Aggregation: From Reactive Forensics to Proactive Alerting

Searching log files on individual broker hosts is sufficient for forensics but insufficient for proactive operations. Log aggregation, shipping ActiveMQ logs to a centralized platform (ELK Stack, Loki/Grafana, Splunk, Sumo Logic), transforms logs from reactive incident artifacts into real-time alert sources.

Key Log-Based Alert Patterns

Configuring Structured Logging for Aggregation

For log aggregation tools, JSON-structured output significantly improves parsing and query performance over the default pipe-separated format. Log4j2 provides a JsonLayout that produces machine-parseable output:

This output is directly parseable by Filebeat, Logstash, Fluentd, and Promtail (for Loki) without custom pattern configuration. We covered the full Prometheus + Grafana monitoring stack integration, including metric-based alerting that complements log-based alerting in our Monitoring & Alerting Setup post.

Targeted DEBUG Logging: The Right Way to Deep-Dive

When a specific component is behaving unexpectedly, and INFO logs don’t show enough detail, enabling DEBUG for that logger namespace gives deep visibility without drowning the entire log in noise.

With monitorInterval=30 in the production config, these logger-level additions take effect within 30 seconds of saving the file. Revert the level to INFO as soon as the troubleshooting session is complete.

The DEBUG volume warning: DEBUG logging on org.apache.activemq.transport on a high-connection broker (hundreds of clients) will generate multiple log entries per message per connection. On a broker handling 10,000 messages/second, DEBUG at the transport level can produce gigabytes of logs per hour. Always scope DEBUG logging to the narrowest namespace that will reveal the issue.

Log Diagnostics Workflow: The 5-Step Process

When a broker incident is reported, apply this workflow before assuming you know the root cause:

Step 1: Establish the incident timeline

# What changed in the last 30 minutes before the incident was reported?

grep “2026-04-04 0[1-2]:” /opt/activemq/data/activemq.log | tail -100

Step 2: Scan for ERROR and WARN level events in the window

grep -E “ERROR|WARN” /opt/activemq/data/activemq.log | grep “2026-04-04 02:”

Step 3: Check for PFC events

grep “Stopping producer” /opt/activemq/data/activemq.log | tail -20

# Note the ‘blocking for’ duration in the most recent entry

Step 4: Check GC log for stop-the-world pauses in the same window

grep “Pause Full\|Pause Young” /opt/activemq/data/gc.log | grep “2026-04-04 02:”

Step 5: Cross-reference timestamps If Step 3 shows PFC starting at 02:13:47, and Step 4 shows a 511ms GC pause at 02:13:47, the GC pause likely triggered the memory pressure that caused PFC. Fix the GC issue first.

Unified Log + Metric Visibility for Your ActiveMQ Fleet

meshIQ Console correlates broker metrics and log events in a single dashboard, surfacing PFC events, OOM warnings, connection drop rates, and KahaDB recovery sequences alongside queue depth, consumer count, and memory utilization charts. No more switching between log files and metric dashboards during an incident.

See It in Action

The Log Is the Source of Truth

Every significant ActiveMQ operational event has a log signature. The broker log is not noise, it is a structured record of everything the broker has done and everything it encountered. Knowing the 10 critical signatures, having a production log4j2 configuration that captures rolling history, enabling audit logging for compliance, correlating GC logs with broker events, and shipping logs to an aggregation platform where alerts fire on PFC and OOM patterns – these together give you an operational posture where incidents are discovered from logs before users report them.

Get your ActiveMQ log and observability configuration reviewed by our team → Request a Review

Frequently Asked Questions

Q1: Where are ActiveMQ log files located? 

Apache ActiveMQ®: data/activemq.log (broker log) and data/audit.log (if enabled), configured in conf/log4j2.properties (5.17.0+). Apache Artemis™: log/artemis.log and log/audit.log, configured in etc/log4j2.properties.

Q2: How do I enable DEBUG logging in ActiveMQ? 

Edit log4j2.properties and add/change the logger level for the target namespace. With monitorInterval=30, the change takes effect within 30 seconds without a restart. Revert to INFO after troubleshooting, DEBUG at transport or store level on a high-throughput broker produces enormous log volume.

Q3: What does ‘Stopping producer to prevent flooding’ mean in ActiveMQ logs? 

Producer Flow Control (PFC) has been activated, a resource limit was reached. The log identifies the resource type (store/temp/memory), the destination, the producer ID, and the block duration. See our Producer Flow Control Troubleshooting guide for the complete diagnosis procedure.

Q4: How do I enable audit logging in ActiveMQ? 

Apache ActiveMQ®: set -Dorg.apache.activemq.audit=all in ACTIVEMQ_OPTS. Apache Artemis™: change the audit logger levels in etc/log4j2.properties from OFF to INFO. Three independent Artemis audit loggers cover JMX operations, authentication events, and message operations.

Q5: What log level should I use in production ActiveMQ? 

INFO is the correct production level. It captures all meaningful operational events without the volume of DEBUG. Configure rolling files with at least 500MB of retention (10 × 50MB files) to preserve enough history for post-incident forensics.

Cookies preferences

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Necessary

Necessary
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Advertisement

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.