diff --git a/docs/static/troubleshoot/ts-kafka.asciidoc b/docs/static/troubleshoot/ts-kafka.asciidoc
index e5b4fa3d389..e8c2007be1d 100644
--- a/docs/static/troubleshoot/ts-kafka.asciidoc
+++ b/docs/static/troubleshoot/ts-kafka.asciidoc
@@ -163,4 +163,29 @@ https://github.com/logstash-plugins/logstash-input-kafka/issues/210
 * If (and only if) upgrading is not possible, set `consumer_threads` to `1`.
 
 
+[discrete] 
+[[ts-kafka-kerberos-debug]]
+===== Setting up debugging for Kerberos SASL
+
+You can set up your machine to help you troubleshoot authentication failures in the Kafka client.
+
+* In `config/jvm.options`, add:
++
+[source,txt]
+-----
+-Dsun.security.krb5.debug=true
+-----
+
+* In `config/log4j2.properties`, add: 
++
+[source,txt]
+-----
+logger.kafkainput.name = logstash.inputs.kafka
+logger.kafkainput.level = debug
+logger.kafkaoutput.name = logstash.outputs.kafka
+logger.kafkaoutput.level = debug
+logger.kafka.name = org.apache.kafka
+logger.kafka.level = debug
+-----
 
+NOTE: Logging entries for Kerberos are NOT sent through Log4j but go directly to the console.