This topic describes the features, benefits, limits, and configuration process of Logtail.

Logtail is a log collection agent that is provided by Log Service. You can use Logtail to collect logs from multiple data sources in real time. These sources include Alibaba Cloud Elastic Compute Service (ECS) instances, on-premises servers, and servers that are provided by other cloud service providers.

Configuration process

Logtail collection feature
  1. Logtail is installed on the server from which logs are collected. For more information, see Install Logtail in Linux or Install Logtail in Windows.

    If you install Logtail on an ECS instance that does not belong to your current Alibaba Cloud account, an on-premises server, or a server that is provided by another cloud service provider, you must configure a user identifier for the server. For more information, see Configure an account ID for a server.

  2. Create a machine group.

    You can set an IP address-based identifier or a custom identifier for a machine group. For more information, see Create an IP address-based machine group or Create a custom ID-based machine group.

  3. Create Logtail configurations and apply the configurations to the machine group.

    You can create Logtail configurations in the Log Service console. For more information, see Overview.

After you complete the preceding procedure, Logtail collects logs from your server and sends the logs to the specified Logstore. You can query logs in the Log Service console, or by using an API or SDK.

Benefits

  • Performs file-level log collection and does not intrude on log data. You do not need to modify your application code. In addition, when Logtail collects logs, your applications are not affected.
  • Allows you to collect text logs, binary logs, HTTP data, and container logs.
  • Allows you to collect logs from standard containers, swarm clusters, and Kubernetes clusters.
    • For more information about how to collect logs from swarm clusters, see Enable Log Service.
    • For more information about how to collect logs from Alibaba Cloud Container Service for Kubernetes, see Overview.
    • For more information about how to collect logs from user-created Kubernetes clusters, see Overview.
    • For more information about how to collect logs from user-created Docker clusters, see Collect logs from standard Docker containers.
  • Handles exceptions during log collection. If a network or server exception occurs, Logtail retries log collection and locally caches logs to ensure data security.
  • Provides centralized management based on Log Service. After you install Logtail on servers and create a machine group and Logtail configurations, Logtail collects logs from the servers and sends the logs to Log Service.
  • Provides a comprehensive self-protection mechanism. The CPU, memory, and network resources that Logtail can use are limited. This ensures that Logtail does not affect the performance of other services on the server.

Limits

For more information about the limits of Logtail, see Logtail limits.

Terms

  • Machine group: A machine group contains one or more servers from which logs of a specific type are collected. After you apply Logtail configurations to a machine group, Log Service collects logs from the servers in the machine group based on the configurations.

    You can set an IP address-based identifier or a custom identifier for a machine group. Then you can manage the servers in the machine group based on the identifier. You can create and delete a machine group, add servers to a machine group, and remove servers from a machine group in the Log Service console.

  • Logtail: Logtail is a log collection agent that is provided by Log Service. Logtail runs on servers to collect logs from the servers. For more information, see Install Logtail in Linux or Install Logtail in Windows.
    • In a Linux-based server, Logtail is installed in the /usr/local/ilogtail directory. Logtail initiates two separate processes whose names start with ilogtail. One is a log collection process and the other is a daemon process. The logs of Logtail are stored in the /usr/local/ilogtail/ilogtail.LOG directory.
    • In a Windows-based server, Logtail is installed in the C:\Program Files\Alibaba\Logtail directory (32-bit system) or C:\Program Files (x86)\Alibaba\Logtail directory (64-bit system). Choose Control Panel > Administrative Tools > Services. On the Services window, you can view the LogtailDaemon service. The logs of Logtail are stored in the ilogtail.LOG file.
  • Logtail configurations for log collection: Logtail configurations for log collection are a set of policies that Logtail uses to collect logs. You can specify the data source and collection mode to create custom Logtail configurations for log collection. The configurations define how to collect logs from servers, parse the logs, and send the logs to a specified Logstore.

Features

Feature Description
Real-time log collection Logtail dynamically monitors log files, and reads and parses incremental logs in real time. In most cases, the delay between the time when logs are generated and when the logs are sent to Log Service is within 3 seconds. For more information, see Logtail collection principles.
Note Logtail does not collect historical data. If a log entry is generated more than 12 hours before it is read, Logtail does not collect the log entry.
Automatic log rotation Multiple applications rotate log files based on the file size or date. In the rotation process, the original log file is renamed and an empty log file is created. For example, during log rotation, the app.LOG file is renamed to app.LOG.1 and app.LOG.2. You can specify the file to which collected logs are written, for example, app.LOG. Logtail monitors the log rotation process to ensure that no logs are lost.
Multiple data sources In addition to text logs, Logtail can collect syslog logs, HTTP logs, and MySQL binary logs. For more information, see Log collection methods.
Compatibility with open-source collection agents You can use open-source agents such as Logstash and Beats to collect data. Then you can use Logtail to collect data from the agents and send the data to Log Service. For more information, see Log collection methods.
Automatic handling of collection exceptions If data fails to be sent to Log Service due to exceptions such as server errors, network errors, or quota exhaustion, Logtail retries log collection based on the specific scenario. If the retry fails, Logtail writes the data to the local cache and resends the data 3 seconds later. For more information, see How do I use the Logtail automatic diagnostic tool?.
Flexible configurations Logtail allows you to create configurations for log collection in a flexible way. You can specify the directories and files from which logs are collected, and specify exact match or wildcard matching based on your business requirements. You can also specify the log collection mode and customize the fields to be extracted. You can use a regular expression to extract fields from logs.

Log data in Log Service must have the timestamp information. Logtail allows you to customize log time formats and then extract the required timestamps from the time information of different formats.

Automatic synchronization of Logtail configurations After you create or update Logtail configurations for log collection in the Log Service console, the configurations are synchronized to the servers where Logtail is installed and take effect within 3 minutes. During the synchronization, logs are collected based on the original configurations.
Status monitoring Logtail monitors the CPU and memory resources it consumes in real time. This ensures that Logtail does not consume excessive resources or affect other services. If the resource consumption exceeds the limit, Logtail is automatically restarted. Logtail also monitors the network bandwidth resources it consumes. This ensures that Logtail does not consume excessive bandwidth. For more information, see Startup configuration file (ilogtail_config.json).
Signature and encryption Logtail retrieves the AccessKey pair of your Alibaba Cloud account and uses the pair to sign all log data that is sent to Log Service. This prevents data tampering during data transmission.
Note Logtail retrieves the AccessKey pair of your Alibaba Cloud account by using the HTTPS protocol. This ensures the security of your AccessKey pair.

Data collection reliability

During data collection, Logtail stores checkpoints to the local server on a regular basis. If an exception such as an unexpected server shutdown or a process failure occurs, Logtail restarts and then collects data from the last checkpoint. This mechanism avoids incomplete data collection. Logtail runs based on the startup parameters that are specified in the startup configuration file. If the usage of a resource exceeds the limit for more than 5 minutes, Logtail is forcibly restarted. After the restart, a small amount of duplicate data data may be collected to the specified Logstore.

Logtail uses multiple internal mechanisms to improve log collection reliability. However, logs may fail to be collected in the following scenarios:
  • Logtail is not running but logs are rotated multiple times.
  • The log rotation rate is high, for example, one rotation per second.
  • The log collection rate is lower than the log generation rate for a long period of time.