All Products
Search
Document Center

Container Service for Kubernetes:Enable SLS on Knative

Last Updated:May 29, 2025

You can collect container text logs from a Knative Service in DaemonSet mode. In DaemonSet mode, each node runs a logging agent to improve O&M efficiency. Container Service for Kubernetes (ACK) clusters are compatible with Simple Log Service (SLS) and support non-intrusive log collection. You can install a log collection component, which deploys a log collector pod on each node. This way, the component can collect logs from all containers on each node. You can analyze and manage containers based on the collected logs.

Prerequisites

Step 1: Install a log collection component

Install LoongCollector

Note

Currently, LoongCollector is in canary release. Before you install LoongCollector, check the supported regions.

LoongCollector-based data collection: LoongCollector is a new-generation log collection agent that is provided by Simple Log Service. LoongCollector is an upgraded version of Logtail. LoongCollector is expected to integrate the capabilities of specific collection agents of Application Real-Time Monitoring Service (ARMS), such as Managed Service for Prometheus-based data collection and Extended Berkeley Packet Filter (eBPF) technology-based non-intrusive data collection.

Install the loongcollector component in an existing ACK cluster

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the cluster that you want to manage. In the left-side navigation pane, choose Operations > Add-ons.

  3. On the Logs and Monitoring tab of the Add-ons page, find the loongcollector component and click Install.

    Note

    You cannot install the loongcollector component and the logtail-ds component at the same time. If the logtail-ds component is installed in your cluster, you cannot directly upgrade the logtail-ds component to the loongcollector component. The upgrade solution is available soon.

After the LoongCollector components are installed, Simple Log Service automatically generates a project named k8s-log-${your_k8s_cluster_id} and resources in the project. You can log on to the Simple Log Service console to view the resources. The following table describes the resources.

Resource type

Resource name

Description

Example

Machine group

k8s-group-${your_k8s_cluster_id}

The machine group of loongcollector-ds, which is used in log collection scenarios.

k8s-group-my-cluster-123

k8s-group-${your_k8s_cluster_id}-cluster

The machine group of loongcollector-cluster, which is used in metric collection scenarios.

k8s-group-my-cluster-123-cluster

k8s-group-${your_k8s_cluster_id}-singleton

The machine group of a single instance, which is used to create a LoongCollector configuration for the single instance.

k8s-group-my-cluster-123-singleton

Logstore

config-operation-log

The Logstore is used to collect and store loongcollector-operator logs.

Important

Do not delete the config-operation-log Logstore.

config-operation-log

Install Logtail

Logtail-based data collection: Logtail is a log collection agent that is provided by Simple Log Service. You can use Logtail to collect logs from multiple data sources, such as Alibaba Cloud Elastic Compute Service (ECS) instances, servers in data centers, and servers from third-party cloud service providers. Logtail supports non-intrusive log collection based on log files. You do not need to modify your application code, and log collection does not affect the operation of your applications.

Install Logtail components in an existing ACK cluster

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the one you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.

  3. On the Logs and Monitoring tab of the Add-ons page, find the logtail-ds component and click Install.

Install Logtail components when you create an ACK cluster

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click Create Kubernetes Cluster. In the Component Configurations step of the wizard, select Enable Log Service.

    This topic describes only the settings related to Simple Log Service. For more information about other settings, see Create an ACK managed cluster.

    After you select Enable Log Service, the system prompts you to create a Simple Log Service project. You can use one of the following methods to create a project:

    • Select Project

      You can select an existing project to manage the collected container logs.

      安装logtail组件

    • Create Project

      Simple Log Service automatically creates a project to manage the collected container logs. ClusterID indicates the unique identifier of the created Kubernetes cluster.

      安装logtail组件

Important

In the Component Configurations step of the wizard, Enable is selected for the Control Plane Component Logs parameter by default. If Enable is selected, the system automatically configures collection settings and collects logs from the control plane components of a cluster, and you are charged for the collected logs based on the pay-as-you-go billing method. You can determine whether to select Enable based on your business requirements. For more information, see Collect logs of control plane components in ACK managed clusters.image

After the Logtail components are installed, Simple Log Service automatically generates a project named k8s-log-<YOUR_CLUSTER_ID> and resources in the project. You can log on to the Simple Log Service console to view the resources. The following table describes the resources.

Resource type

Resource name

Description

Example

Machine group

k8s-group-<YOUR_CLUSTER_ID>

The machine group of logtail-daemonset, which is used in log collection scenarios.

k8s-group-my-cluster-123

k8s-group-<YOUR_CLUSTER_ID>-statefulset

The machine group of logtail-statefulset, which is used in metric collection scenarios.

k8s-group-my-cluster-123-statefulset

k8s-group-<YOUR_CLUSTER_ID>-singleton

The machine group of a single instance, which is used to create a Logtail configuration for the single instance.

k8s-group-my-cluster-123-singleton

Logstore

config-operation-log

The Logstore is used to store logs of the alibaba-log-controller component. We recommend that you do not create a Logtail configuration for the Logstore. You can delete the Logstore. After the Logstore is deleted, the system no longer collects the operational logs of the alibaba-log-controller component. You are charged for the Logstore in the same manner as you are charged for regular Logstores. For more information, see Billable items of pay-by-ingested-data.

None

Step 2: Create a collection configuration

This section describes four methods that you can use to create a collection configuration. We recommend that you use only one method to manage a collection configuration.

Configuration method

Configuration description

Scenario

CRD - AliyunPipelineConfig (recommended)

You can use the AliyunPipelineConfig Custom Resource Definition (CRD), which is a Kubernetes CRD, to manage a Logtail configuration.

This method is suitable for scenarios that require complex collection and processing, and version consistency between the Logtail configuration and the Logtail container in an ACK cluster.

Note

The logtail-ds component installed on an ACK cluster must be later than V1.8.10. For more information about how to update Logtail, see Update Logtail to the latest version.

Simple Log Service console

You can manage a Logtail configuration in the GUI based on quick deployment and configuration.

This method is suitable for scenarios in which simple settings are required to manage a Logtail configuration. If you use this method to manage a Logtail configuration, specific advanced features and custom settings cannot be used.

Environment variable

You can use environment variables to configure parameters used to manage a Logtail configuration in an efficient manner.

You can use environment variables only to configure simple settings. Complex processing logic is not supported. Only single-line text logs are supported. You can use environment variables to create a Logtail configuration that can meet the following requirements:

  • Collect data from multiple applications to the same Logstore.

  • Collect data from multiple applications to different projects.

CRD - AliyunLogConfig

You can use the AliyunLogConfig CRD, which is an old version CRD, to manage a Logtail configuration.

This method is suitable for known scenarios in which you can use the old version CRD to manage Logtail configurations.

You must gradually replace the AliyunLogConfig CRD with the AliyunPipelineConfig CRD to obtain better extensibility and stability. For more information about the differences between the two CRDs, see CRDs.

(Recommended) CRD - AliyunPipelineConfig

Create a Logtail configuration

Important

Only the Logtail components V0.5.1 or later support AliyunPipelineConfig.

To create a Logtail configuration, you need to only create a CR from the AliyunPipelineConfig CRD. After the Logtail configuration is created, it is automatically applied. If you want to modify a Logtail configuration that is created based on a CR, you must modify the CR.

  1. Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

  2. Run the following command to create a YAML file.

    In the following command, cube.yaml is a sample file name. You can specify a different file name based on your business requirements.

    vim cube.yaml
  3. Enter the following script in the YAML file and configure the parameters based on your business requirements.

    Important
    • The value of the configName parameter must be unique in the Simple Log Service project that you use to install the Logtail components.

    • You must configure a CR for each Logtail configuration. If multiple CRs are associated with the same Logtail configuration, the CRs other than the first CR do not take effect.

    • For more information about the parameters related to the AliyunPipelineConfig CRD, see (Recommended) Use AliyunPipelineConfig to manage a Logtail configuration. In this example, the Logtail configuration includes settings for text log collection. For more information, see CreateLogtailPipelineConfig.

    • Make sure that the Logstore specified by the config.flushers.Logstore parameter exists. You can configure the spec.logstore parameter to automatically create a Logstore.

    • For the values of the Endpoint and Region parameters, see Endpoints. The Region parameter indicates the region ID, such as cn-hangzhou.

    Collect single-line text logs from specific containers

    In this example, a Logtail configuration named example-k8s-file is created to collect single-line text logs from the containers whose names contain app in a cluster. The file is test.LOG, and the path is /data/logs/app_1.

    The collected logs are stored in a Logstore named k8s-file, which belongs to a project named k8s-log-test.

    apiVersion: telemetry.alibabacloud.com/v1alpha1
    # Create a CR from the ClusterAliyunPipelineConfig CRD.
    kind: ClusterAliyunPipelineConfig
    metadata:
      # Specify the name of the resource. The name must be unique in the current Kubernetes cluster. The name is the same as the name of the Logtail configuration that is created.
      name: example-k8s-file
    spec:
      # Specify the project to which logs are collected.
      project:
        name: k8s-log-test
      # Create a Logstore to store logs.
      logstores:
        - name: k8s-file
      # Configure the parameters for the Logtail configuration.
      config:
        # Configure the Logtail input plug-ins.
        inputs:
          # Use the input_file plug-in to collect text logs from containers.
          - Type: input_file
            # Specify the file path in the containers.
            FilePaths:
              - /data/logs/app_1/**/test.LOG
            # Enable the container discovery feature. 
            EnableContainerDiscovery: true
            # Add conditions to filter containers. Multiple conditions are evaluated by using a logical AND. 
            ContainerFilters:
              # Specify the namespace of the pod to which the required containers belong. Regular expression matching is supported. 
              K8sNamespaceRegex: default
              # Specify the name of the required containers. Regular expression matching is supported. 
              K8sContainerRegex: ^(.*app.*)$
        # Configure the Logtail output plug-ins.
        flushers:
          # Use the flusher_sls plug-in to send logs to a specific Logstore. 
          - Type: flusher_sls
            # Make sure that the Logstore exists.
            Logstore: k8s-file
            # Make sure that the endpoint is valid. For the Region field, enter the region ID.
            Endpoint: cn-hangzhou.log.aliyuncs.com
            Region: cn-hangzhou
            TelemetryType: logs

    Collect multi-line text logs from all containers and use regular expressions to parse the logs

    In this example, a Logtail configuration named example-k8s-file is created to collect multi-line text logs from all containers in a cluster. The file is test.LOG, and the path is /data/logs/app_1. The collected logs are parsed in JSON mode and stored in a Logstore named k8s-file, which belongs to a project named k8s-log-test.

    The sample log provided in the following example is read by the input_file plug-in in the {"content": "2024-06-19 16:35:00 INFO test log\nline-1\nline-2\nend"} format. Then, the log is parsed based on a regular expression into {"time": "2024-06-19 16:35:00", "level": "INFO", "msg": "test log\nline-1\nline-2\nend"}.

    apiVersion: telemetry.alibabacloud.com/v1alpha1
    # Create a CR from the ClusterAliyunPipelineConfig CRD.
    kind: ClusterAliyunPipelineConfig
    metadata:
      # Specify the name of the resource. The name must be unique in the current Kubernetes cluster. The name is the same as the name of the Logtail configuration that is created.
      name: example-k8s-file
    spec:
      # Specify the project to which logs are collected.
      project:
        name: k8s-log-test
      # Create a Logstore to store logs.
      logstores:
        - name: k8s-file
      # Configure the parameters for the Logtail configuration.
      config:
        # Specify the sample log. You can leave this parameter empty.
        sample: |
          2024-06-19 16:35:00 INFO test log
          line-1
          line-2
          end
        # Configure the Logtail input plug-ins.
        inputs:
          # Use the input_file plug-in to collect multi-line text logs from containers.
          - Type: input_file
            # Specify the file path in the containers.
            FilePaths:
              - /data/logs/app_1/**/test.LOG
            # Enable the container discovery feature. 
            EnableContainerDiscovery: true
            # Enable multi-line log collection.
            Multiline:
              # Specify the custom mode to match the beginning of the first line of a log based on a regular expression.
              Mode: custom
              # Specify the regular expression that is used to match the beginning of the first line of a log.
              StartPattern: \d+-\d+-\d+.*
        # Specify the Logtail processing plug-ins.
        processors:
          # Use the processor_parse_regex_native plug-in to parse logs based on the specified regular expression.
          - Type: processor_parse_regex_native
            # Specify the name of the input field.
            SourceKey: content
            # Specify the regular expression that is used for the parsing. Use capturing groups to extract fields.
            Regex: (\d+-\d+-\d+\s*\d+:\d+:\d+)\s*(\S+)\s*(.*)
            # Specify the fields that you want to extract.
            Keys: ["time", "level", "msg"]
        # Configure the Logtail output plug-ins.
        flushers:
          # Use the flusher_sls plug-in to send logs to a specific Logstore. 
          - Type: flusher_sls
            # Make sure that the Logstore exists.
            Logstore: k8s-file
            # Make sure that the endpoint is valid.
            Endpoint: cn-hangzhou.log.aliyuncs.com
            Region: cn-hangzhou
            TelemetryType: logs
  4. Run the following command to apply the Logtail configuration. After the Logtail configuration is applied, Logtail starts to collect text logs from the specified containers and send the logs to Simple Log Service.

    In the following command, cube.yaml is a sample file name. You can specify a different file name based on your business requirements.

    kubectl apply -f cube.yaml
    Important

    After logs are collected, you must create indexes. Then, you can query and analyze the logs in the Logstore. For more information, see Create indexes.

CRD - AliyunLogConfig

To create a Logtail configuration, you need to only create a CR from the AliyunLogConfig CRD. After the Logtail configuration is created, it is automatically applied. If you want to modify a Logtail configuration that is created based on a CR, you must modify the CR.

  1. Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

  2. Run the following command to create a YAML file.

    In the following command, cube.yaml is a sample file name. You can specify a different file name based on your business requirements.

    vim cube.yaml
  3. Enter the following script in the YAML file and configure the parameters based on your business requirements.

    Important
    • The value of the configName parameter must be unique in the Simple Log Service project that you use to install the Logtail components.

    • If multiple CRs are associated with the same Logtail configuration, the Logtail configuration is affected when you delete or modify one of the CRs. After a CR is deleted or modified, the status of other associated CRs becomes inconsistent with the status of the Logtail configuration in Simple Log Service.

    • For more information about CR parameters, see Use AliyunLogConfig to manage a Logtail configuration. In this example, the Logtail configuration includes settings for text log collection. For more information, see CreateConfig.

    Collect single-line text logs from specific containers

    In this example, a Logtail configuration named example-k8s-file is created to collect single-line text logs from the containers of all the pods whose names begin with app in the cluster. The file is test.LOG, and the path is /data/logs/app_1. The collected logs are stored in a Logstore named k8s-file, which belongs to a project named k8s-log-test.

    apiVersion: log.alibabacloud.com/v1alpha1
    kind: AliyunLogConfig
    metadata:
      # Specify the name of the resource. The name must be unique in the current Kubernetes cluster. 
      name: example-k8s-file
      namespace: kube-system
    spec:
      # Specify the name of the project. If you leave this parameter empty, the project named k8s-log-<your_cluster_id> is used.
      project: k8s-log-test
      # Specify the name of the Logstore. If the specified Logstore does not exist, Simple Log Service automatically creates a Logstore. 
      logstore: k8s-file
      # Configure the parameters for the Logtail configuration. 
      logtailConfig:
        # Specify the type of the data source. If you want to collect text logs, set the value to file. 
        inputType: file
        # Specify the name of the Logtail configuration. 
        configName: example-k8s-file
        inputDetail:
          # Specify the simple mode to collect text logs. 
          logType: common_reg_log
          # Specify the log file path. 
          logPath: /data/logs/app_1
          # Specify the log file name. You can use wildcard characters (* and ?) when you specify the log file name. Example: log_*.log. 
          filePattern: test.LOG
          # Set the value to true if you want to collect text logs from containers. 
          dockerFile: true
          # Specify conditions to filter containers.
          advanced:
            k8s:
              K8sPodRegex: '^(app.*)$'
  4. Run the following command to apply the Logtail configuration. After the Logtail configuration is applied, Logtail starts to collect text logs from the specified containers and send the logs to Simple Log Service.

    In the following command, cube.yaml is a sample file name. You can specify a different file name based on your business requirements.

    kubectl apply -f cube.yaml
    Important

    After logs are collected, you must create indexes. Then, you can query and analyze the logs in the Logstore. For more information, see Create indexes.

Console

  1. Log on to the Simple Log Service console.

  2. In the Quick Data Import section, click Import Data. In the Import Data dialog box, click the Kubernetes - File card.

    image

  3. Select the required project and Logstore. Then, click Next. In this example, select the project that you use to install the Logtail components and the Logstore that you create.

  4. In the Machine Group Configurations step, perform the following operations. For more information, see Machine groups.

    1. Use one of the following settings based on your business requirements:

      • Kubernetes Clusters > ACK Daemonset

      • Kubernetes Clusters > Self-managed Cluster in DaemonSet Mode

        Important

        Subsequent settings vary based on the preceding settings.

    2. Confirm that the required machine groups are added to the Applied Server Groups section. Then, click Next. After you install Logtail components in a Container Service for Kubernetes (ACK) cluster, Simple Log Service automatically creates a machine group named k8s-group-${your_k8s_cluster_id}. You can directly use this machine group.

      Important
  5. Create a Logtail configuration and click Next. Simple Log Service starts to collect logs after the Logtail configuration is created.

    Note

    A Logtail configuration requires up to 3 minutes to take effect.

    Global Configurations

    Parameter

    Description

    Configuration Name

    Enter a name for the Logtail configuration. The name must be unique in a project, and cannot be changed later.

    Log Topic Type

    Select a method to generate log topics. For more information, see Log topics.

    • Machine Group Topic: The topics of the machine groups are used as log topics. Select this option to distinguish the logs from different machine groups.

    • File Path Extraction: Specify a custom regular expression. A part of the file path that matches the regular expression is used as the log topic. Select this option to distinguish the logs from different sources.

    • Custom: Specify a custom log topic.

    Advanced Parameters

    Optional. Configure the advanced parameters that are related to global configurations. For more information, see CreateLogtailPipelineConfig.

    Input Configurations

    Parameter

    Description

    Logtail Deployment Mode

    Select the deployment mode of Logtail. In this example, Daemonset is selected.

    File Path Type

    Select the type of the file path that you want to use to collect logs. Valid values: Path in Container and Host Path. If a hostPath volume is mounted to a container and you want to collect logs from files based on the mapped file path on the container host, set this parameter to Host Path. In other scenarios, set this parameter to Path in Container.

    File Path

    • If the required container runs on a Linux host, specify a path that starts with a forward slash (/). Example: /apsara/nuwa/**/app.Log.

    • If the required container runs on a Windows host, specify a path that starts with a drive letter. Example: C:\Program Files\Intel\**\*.Log.

    You can specify an exact directory and an exact name. You can also use wildcard characters to specify the directory and name. For more information, see Wildcard matching. When you configure this parameter, use only asterisks (*) or question marks (?) as wildcard characters.

    Simple Log Service scans all levels of the specified directory for the log files that match specified conditions. Examples:

    • If you specify /apsara/nuwa/**/*.log, Simple Log Service collects logs from the log files whose names are suffixed by .log in the /apsara/nuwa directory and the recursive subdirectories of the directory.

    • If you specify /var/logs/app_*/**/*.log, Simple Log Service collects logs from the log files that meet the following conditions: The file name is suffixed by .log. The file is stored in a subdirectory under the /var/logs directory or in a recursive subdirectory of the subdirectory. The name of the subdirectory matches the app_* pattern.

    • If you specify /var/log/nginx/**/access*, Simple Log Service collects logs from the log files whose names start with access in the /var/log/nginx directory and the recursive subdirectories of the directory.

    Maximum Directory Monitoring Depth

    Specify the maximum number of levels of subdirectories that you want to monitor. The subdirectories are in the log file directory that you specify. This parameter specifies the levels of subdirectories that can be matched for the wildcard characters ** included in the value of File Path. A value of 0 specifies that only the log file directory that you specify is monitored.

    Warning

    We recommend that you configure this parameter based on the minimum requirement. If you specify a large value, Logtail may consume more monitoring resources and cause collection latency.

    Enable Container Metadata Preview

    If you turn on Enable Container Metadata Preview, you can view the container metadata after you create the Logtail configuration, including the matched container information and full container information.

    Container Filtering

    • Logtail version

      • If the version of Logtail is earlier than 1.0.34, you can use only environment variables and container labels to filter containers.

      • If the version of Logtail is 1.0.34 or later, we recommend that you use different levels of Kubernetes information to filter containers. The information includes K8s Pod Name Regular Matching, K8s Namespace Regular Matching, K8s Container Name Regular Matching, and Kubernetes Pod Label Whitelist.

    • Filter conditions

      Important
      • Container labels are retrieved by running the docker inspect command. Container labels are different from Kubernetes labels. For more information, see Obtain labels.

      • Environment variables are the same as the environment variables that are configured to start containers. For more information, see Obtain environment variables.

      1. Kubernetes namespaces and container names can be mapped to container labels. The label for a namespace is io.kubernetes.pod.namespace. The label for a container name is io.kubernetes.container.name. We recommend that you use the two labels to filter containers. For example, the namespace of a pod is backend-prod, and the name of a container in the pod is worker-server. If you want to collect the logs of the worker-server container, you can specify io.kubernetes.pod.namespace : backend-prod or io.kubernetes.container.name : worker-server in the container label whitelist.

      2. If the two labels do not meet your business requirements, you can use the environment variable whitelist or the environment variable blacklist to filter containers.

    • K8s Pod Name Regular Matching

      Enter the pod name. The pod name specifies the containers from which text logs are collected. Regular expression matching is supported. For example, if you specify ^(nginx-log-demo.*)$, all containers in the pod whose name starts with nginx-log-demo are matched.

    • K8s Namespace Regular Matching

      Enter the namespace name. The namespace name specifies the containers from which text logs are collected. Regular expression matching is supported. For example, if you specify ^(default|nginx)$, all containers in the nginx and default namespaces are matched.

    • K8s Container Name Regular Matching

      Enter the container name. The container name specifies the containers from which text logs are collected. Regular expression matching is supported. Kubernetes container names are defined in spec.containers. For example, if you specify ^(container-test)$, all containers whose name is container-test are matched.

    • Container Label Whitelist

      Configure a container label whitelist. The whitelist specifies the containers from which text logs are collected.

      Note

      Do not specify duplicate values for the Label Name parameter. If you specify duplicate values, only one value takes effect.

      • If you specify a value for the Label Name parameter but do not specify a value for the Label Value parameter, containers whose container labels contain the specified label name are matched.

      • If you specify a value for the Label Name and Label Value parameters, containers whose container labels contain the specified Label Name:Label Value are matched.

        By default, string matching is performed for the values of the Label Value parameter. Containers are matched only if the values of the container labels are the same as the values of the Label Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($) for the Label Value parameter, regular expression matching is performed. For example, if you set the Label Name parameter to app and set the Label Value parameter to ^(test1|test2)$, containers whose container labels contain app:test1 or app:test2 are matched.

      Key-value pairs are evaluated by using the OR operator. If a container has a container label that consists of one of the specified key-value pairs, the container is matched.

    • Container Label Blacklist

      Configure a container label blacklist. The blacklist specifies the containers from which text logs are not collected.

      Note

      Do not specify duplicate values for the Label Name parameter. If you specify duplicate values, only one value takes effect.

      • If you specify a value for the Label Name parameter but do not specify a value for the Label Value parameter, containers whose container labels contain the specified label name are filtered out.

      • If you specify a value for the Label Name and Label Value parameters, containers whose container labels contain the specified Label Name:Label Value are filtered out.

        By default, string matching is performed for the values of the Label Value parameter. Containers are filtered out only if the values of the container labels are the same as the values of the Label Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($) for the Label Value parameter, regular expression matching is performed. For example, if you set the Label Name parameter to app and set the Label Value parameter to ^(test1|test2)$, containers whose container labels contain app:test1 or app:test2 are filtered out.

      Key-value pairs are evaluated by using the OR operator. If a container has a container label that consists of one of the specified key-value pairs, the container is filtered out.

    • Environment Variable Whitelist

      Configure an environment variable whitelist. The whitelist specifies the containers from which text logs are collected.

      • If you specify a value for the Environment Variable Name parameter but do not specify a value for the Environment Variable Value parameter, containers whose environment variables contain the specified environment variable name are matched.

      • If you specify a value for the Environment Variable Name and Environment Variable Value parameters, containers whose environment variables contain the specified Environment Variable Name:Environment Variable Value are matched.

        By default, string matching is performed for the values of the Environment Variable Value parameter. Containers are matched only if the values of the environment variables are the same as the values of the Environment Variable Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($) for the Environment Variable Value parameter, regular expression matching is performed. For example, if you set the Environment Variable Name parameter to NGINX_SERVICE_PORT and set the Environment Variable Value parameter to ^(80|6379)$, containers whose port number is 80 or 6379 are matched.

      Key-value pairs are evaluated by using the OR operator. If a container has an environment variable that consists of one of the specified key-value pairs, the container is matched.

    • Environment Variable Blacklist

      Configure an environment variable blacklist. The blacklist specifies the containers from which text logs are not collected.

      • If you specify a value for the Environment Variable Name parameter but do not specify a value for the Environment Variable Value parameter, containers whose environment variables contain the specified environment variable name are filtered out.

      • If you specify a value for the Environment Variable Name and Environment Variable Value parameters, containers whose environment variables contain the specified Environment Variable Name:Environment Variable Value are filtered out.

        By default, string matching is performed for the values of the Environment Variable Value parameter. Containers are filtered out only if the values of the environment variables are the same as the values of the Environment Variable Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($) for the Environment Variable Value parameter, regular expression matching is performed. For example, if you set the Environment Variable Name parameter to NGINX_SERVICE_PORT and set the Environment Variable Value parameter to ^(80|6379)$, containers whose port number is 80 or 6379 are filtered out.

      Key-value pairs are evaluated by using the OR operator. If a container has an environment variable that consists of one of the specified key-value pairs, the container is filtered out.

    • Kubernetes Pod Label Whitelist

      Configure a Kubernetes pod label whitelist. The whitelist specifies the containers from which text logs are collected.

      • If you specify a value for the Label Name parameter but do not specify a value for the Label Value parameter, containers whose pod labels contain the specified label name are matched.

      • If you specify a value for the Label Name and Label Value parameters, containers whose pod labels contain the specified Label Name:Label Value are matched.

        By default, string matching is performed for the values of the Label Value parameter. Containers are matched only if the values of the pod labels are the same as the values of the Label Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($), regular expression matching is performed. For example, if you set the Label Name parameter to environment and set the Label Value parameter to ^(dev|pre)$, containers whose pod labels contain environment:dev or environment:pre are matched.

      Key-value pairs are evaluated by using the OR operator. If a container has a pod label that consists of one of the specified key-value pairs, the container is matched.

    • Kubernetes Pod Label Blacklist

      Configure a Kubernetes pod label blacklist. The blacklist specifies the containers from which text logs are not collected.

      • If you specify a value for the Label Name parameter but do not specify a value for the Label Value parameter, containers whose pod labels contain the specified label name are filtered out.

      • If you specify a value for the Label Name and Label Value parameters, containers whose pod labels contain the specified Label Name:Label Value are filtered out.

        By default, string matching is performed for the values of the Label Value parameter. Containers are filtered out only if the values of the pod labels are the same as the values of the Label Value parameter. If you specify a value that starts with a caret (^) and ends with a dollar sign ($) for the Label Value parameter, regular expression matching is performed. For example, if you set the Label Name parameter to environment and set the Label Value parameter to ^(dev|pre)$, containers whose pod labels contain environment:dev or environment:pre are filtered out.

      Key-value pairs are evaluated by using the OR operator. If a container has a pod label that consists of one of the specified key-value pairs, the container is filtered out.

    Log Tag Enrichment

    Specify log tags by using environment variables and pod labels.

    File Encoding

    Select the encoding format of log files.

    First Collection Size

    Specify the size of data that Logtail can collect from a log file the first time Logtail collects logs from the file. The default value of First Collection Size is 1024. Unit: KB.

    • If the file size is less than 1,024 KB, Logtail collects data from the beginning of the file.

    • If the file size is greater than 1,024 KB, Logtail collects the last 1,024 KB of data in the file.

    You can specify First Collection Size based on your business requirements. Valid values: 0 to 10485760. Unit: KB.

    Collection Blacklist

    If you turn on Collection Blacklist, you must configure a blacklist to specify the directories or files that you want Simple Log Service to skip when it collects logs. You can specify exact directories and file names. You can also use wildcard characters to specify directories and file names. When you configure this parameter, use only asterisks (*) or question marks (?) as wildcard characters.

    Important
    • If you use wildcard characters to configure File Path and you want to skip some directories in the specified directory, you must configure Collection Blacklist and enter a complete directory.

      For example, if you set File Path to /home/admin/app*/log/*.log and you want to skip all subdirectories in the /home/admin/app1* directory, you must select Directory Blacklist and enter /home/admin/app1*/** in the Directory Name field. If you enter /home/admin/app1*, the blacklist does not take effect.

    • When a blacklist is in use, computational overhead is generated. We recommend that you add up to 10 entries to the blacklist.

    • You cannot specify a directory path that ends with a forward slash (/). For example, if you set the path to /home/admin/dir1/, the directory blacklist does not take effect.

    The following types of blacklists are supported: File Path Blacklist, File Blacklist, and Directory Blacklist.

    File Path Blacklist

    • If you select File Path Blacklist and enter /home/admin/private*.log in the File Path Name field, all files whose names are prefixed by private and suffixed by .log in the /home/admin/ directory are skipped.

    • If you select File Path Blacklist and enter /home/admin/private*/*_inner.log in the File Path Name field, all files whose names are suffixed by _inner.log in the subdirectories whose names are prefixed by private in the /home/admin/ directory are skipped. For example, the /home/admin/private/app_inner.log file is skipped, but the /home/admin/private/app.log file is not.

    File Blacklist

    If you select File Blacklist and enter app_inner.log in the File Name field, all files whose names are app_inner.log are skipped.

    Directory Blacklist

    • If you select Directory Blacklist and enter /home/admin/dir1 in the Directory Name field, all files in the /home/admin/dir1 directory are skipped.

    • If you select Directory Blacklist and enter /home/admin/dir* in the Directory Name field, the files in all subdirectories whose names are prefixed by dir in the /home/admin/ directory are skipped.

    • If you select Directory Blacklist and enter /home/admin/*/dir in the Directory Name field, all files in the dir subdirectory in each second-level subdirectory of the /home/admin/ directory are skipped. For example, the files in the /home/admin/a/dir directory are skipped, but the files in the /home/admin/a/b/dir directory are not.

    Allow File to Be Collected for Multiple Times

    By default, you can use only one Logtail configuration to collect logs from a log file. To use multiple Logtail configurations to collect logs from a log file, turn on Allow File to Be Collected Multiple Times.

    Advanced Parameters

    You must manually configure specific parameters of a Logtail configuration. For more information, see Create a Logtail pipeline configuration.

    Processor Configurations

    Parameter

    Description

    Log Sample

    Add a sample log collected from an actual scenario. You can use the sample log to easily configure parameters related to log processing. You can add multiple sample logs. Make sure that the total length of the logs does not exceed 1,500 characters.

    [2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened
        at TestPrintStackTrace.f(TestPrintStackTrace.java:3)
        at TestPrintStackTrace.g(TestPrintStackTrace.java:7)
        at TestPrintStackTrace.main(TestPrintStackTrace.java:16)

    Multi-line Mode

    • Specify the type of multi-line logs. A multi-line log spans multiple consecutive lines. You can configure this parameter to identify each multi-line log in a log file.

      • Custom: A multi-line log is identified based on the value of Regex to Match First Line.

      • Multi-line JSON: Each JSON object is expanded into multiple lines. Example:

        {
          "name": "John Doe",
          "age": 30,
          "address": {
            "city": "New York",
            "country": "USA"
          }
        }
    • Configure Processing Method If Splitting Fails.

      Exception in thread "main" java.lang.NullPointerException
          at com.example.MyClass.methodA(MyClass.java:12)
          at com.example.MyClass.methodB(MyClass.java:34)
          at com.example.MyClass.main(MyClass.java:½0)

      For the preceding sample log, Simple Log Service can discard the log or retain each single line as a log if it fails to split it.

      • Discard: The log is discarded.

      • Retain Single Line: Each line of log text is retained as a log. A total of four logs are retained.

    Processing Method

    Add processors as needed. You can add native and extended processors for data processing.

    Important

    Refer to the console page prompts for usage restrictions on the processors.

    • Logtail V2.0

      • You can arbitrarily combine native processors for data processing.

      • You can combine native and extended processors. Extended processors must follow native processors in the sequence.

    • Logtail earlier than V2.0

      • You cannot add native and extended processors at the same time.

      • You can use native processors only to collect text logs. When you add them, note the following:

        • You must first add one of the following Logtail processors: Data Parsing (Regex Mode), Data Parsing (Delimiter Mode), Data Parsing (JSON Mode), Data Parsing (NGINX Mode), Data Parsing (Apache Mode), and Data Parsing (IIS Mode).

        • After you add the first processor, you can add a Time Parsing processor, a Data Filtering processor, and multiple Data Masking processors.

      • When you configure the Retain Original Field if Parsing Fails and Retain Original Field if Parsing Succeeds parameters, you can use only the following parameter combinations. For others, Simple Log Service does not ensure configuration effects.

        • Upload logs that are parsed.

          image

        • Upload logs that are obtained after successful parsing, and raw ones if the parsing fails.

          image

        • Upload logs obtained after parsing. Add a raw log field to the logs if the parsing succeeds, and raw logs if it fails.

          For example, if a raw log is "content": "{"request_method":"GET", "request_time":"200"}" and it's successfully parsed, the system adds a raw log field, which is specified by the New Name of Original Field parameter. If you do not configure the parameter, the original field name is used. The field value is {"request_method":"GET", "request_time":"200"}.

          image

  6. Create indexes and preview data. Then, click Next. By default, full-text indexing is enabled in Simple Log Service. You can also configure field indexes based on collected logs in manual mode or automatic mode. To configure field indexes in automatic mode, click Automatic Index Generation. This way, Simple Log Service automatically creates field indexes. For more information, see Create indexes.

    Important

    If you want to query all fields in logs, we recommend that you use full-text indexes. If you want to query only specific fields, we recommend that you use field indexes. This helps reduce index traffic. If you want to analyze fields, you must create field indexes. You must include a SELECT statement in your query statement for analysis.

  7. Click Query Log. Then, you are redirected to the query and analysis page of your Logstore.

    You must wait approximately 1 minute for the indexes to take effect. Then, you can view the collected logs on the Raw Logs tab. For more information, see Guide to log query and analysis.

Environment variables

1. Enable SLS when you create a Knative Service

You can enable log collection based on the following YAML template when you create a Knative service.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Applications > Knative.

  3. Click the Services tab, select a namespace, and then click Create from Template. On the page that appears, select Custom in the Sample Template section. Use the following YAML file and follow the instructions on the page to create a Service.

    YAML templates comply with the Kubernetes syntax. You can use env to define log collection configurations and custom tags. You must also set the volumeMounts and volumes parameters. The following example shows how to configure Log Service in a pod:

    apiVersion: serving.knative.dev/v1
    kind: Service
    metadata:
      name: helloworld-go-log
    spec:
      template:
        spec:
          containers:
          - name: my-demo-app
            image: 'registry.cn-hangzhou.aliyuncs.com/log-service/docker-log-test:latest'
            env:
            # Specify environment variables.
            - name: aliyun_logs_log-stdout
              value: stdout
            - name: aliyun_logs_log-varlog
              value: /var/demo/*.log
            - name: aliyun_logs_mytag1_tags
              value: tag1=v1
            # Configure volume mounting.
            volumeMounts:
            - name: volumn-sls-mydemo
              mountPath: /var/demo
            # If the pod is repetitively restarted, you can add a sleep command to the startup parameters of the pod.
            command: ["sh", "-c"]  # Run commands in the shell.
            args: ["sleep 3600"]   # Set the sleep time to 1 hour (3600 seconds).
          volumes:
          - name: volumn-sls-mydemo
            emptyDir: {}

    Perform the following steps in sequence based on your business requirements:

    Note

    If you have other log collection requirements, see (Optional) 2. Use environment variables to configure advanced settings.

    1. Add log collection configurations and custom tags by using environment variables. All environment variables related to log collection must use aliyun_logs_ as the prefix.

      • Add environment variables in the following format:

        - name: aliyun_logs_log-stdout
          value: stdout
        - name: aliyun_logs_log-varlog
          value: /var/demo/*.log                        

        In the preceding example, two environment variables in the following format are added to the log collection configuration: aliyun_logs_{key}. The {keys} of the environment variables are log-stdout and log-varlog.

        • The aliyun_logs_log-stdout environment variable indicates that a Logstore named log-stdout is created to store the stdout collected from containers. The name of the collection configuration is log-stdout. This way, the stdout of containers is collected to the Logstore named log-stdout.

        • The aliyun_logs_log-varlog environment variable indicates that a Logstore named log-varlog is created to store the /var/demo/*.log files collected from containers. The name of the collection configuration is log-varlog. This way, the /var/demo/*.log files are collected to the Logstore named log-varlog.

      • Add custom tags in the following format:

        - name: aliyun_logs_mytag1_tags
          value: tag1=v1                       

        After a tag is added, the tag is automatically appended to the log data that is collected from the container. mytag1 specifies the tag name without underscores (_).

    2. If you specify a log path to collect log files other than stdout, you must set the volumeMounts parameter.

      In the preceding YAML template, the mountPath field in volumeMounts is set to /var/demo. This allows Logtail to collect log data from the /var/demo*.log file.

  4. After you modify the YAML template, click Create to submit the configurations.

(Optional) 2. Use environment variables to configure advanced settings

Environment variable-based Logtail configuration supports various parameters. You can use environment variables to configure advanced settings to meet your log collection requirements.

Important

You cannot use environment variables to configure log collection in edge computing scenarios.

Variable

Description

Example

Usage note

aliyun_logs_{key}

  • Required. {key} can contain only lowercase letters, digits, and hyphens (-).

  • If the specified aliyun_logs_{key}_logstore variable does not exist, a Logstore named {key} is automatically created to store the collected logs.

  • To collect the stdout of a container, set the value to stdout. You can also set the value to a log file path in the containers.

  • - name: aliyun_logs_catalina
    
      value: stdout
  • - name: aliyun_logs_access-log
    
      value: /var/log/nginx/access.log
  • By default, logs are collected in simple mode. If you want to parse the collected logs, we recommend that you configure the related settings in the Simple Log Service console or by using CRDs.

  • {key} specifies the name of the Logtail configuration. The configuration name must be unique in the Kubernetes cluster.

aliyun_logs_{key}_tags

Optional. The variable is used to add tags to logs. The value must be in the {tag-key}={tag-value} format.

- name: aliyun_logs_catalina_tags

  value: app=catalina

N/A.

aliyun_logs_{key}_project

Optional. The variable specifies a Simple Log Service project. The default project is the one that is generated after Logtail is installed.

- name: aliyun_logs_catalina_project

  value: my-k8s-project

The project must be deployed in the same region as Logtail.

aliyun_logs_{key}_logstore

Optional. The variable specifies a Simple Log Service Logstore. Default value: {key}.

- name: aliyun_logs_catalina_logstore

  value: my-logstore

N/A.

aliyun_logs_{key}_shard

Optional. The variable specifies the number of shards of the Logstore. Valid values: 1 to 10. Default value: 2.

Note

If the Logstore that you specify already exists, this variable does not take effect.

- name: aliyun_logs_catalina_shard

  value: '4'

N/A.

aliyun_logs_{key}_ttl

Optional. The variable specifies the log retention period. Valid values: 1 to 3650.

  • If you set the value to 3650, logs are permanently stored.

  • The default retention period is 90 days.

Note

If the Logstore that you specify already exists, this variable does not take effect.

- name: aliyun_logs_catalina_ttl

  value: '3650'

N/A.

aliyun_logs_{key}_machinegroup

Optional. The variable specifies the machine group in which the application is deployed. The default machine group is the one in which Logtail is deployed. For more information about how to use this variable, see Collect container logs from an ACK cluster.

- name: aliyun_logs_catalina_machinegroup

  value: my-machine-group

N/A.

aliyun_logs_{key}_logstoremode

Optional. The variable specifies the type of Logstore. Default value: standard. Valid values: standard and query.

Note

If the Logstore that you specify already exists, this variable does not take effect.

  • standard: Standard Logstore. This type of Logstore supports the log analysis feature and is suitable for scenarios such as real-time monitoring and interactive analysis. You can use this type of Logstore to build a comprehensive observability system.

  • query: Query Logstore. This type of Logstore supports high-performance queries. The index traffic fee of a Query Logstore is approximately half that of a standard Logstore. Query Logstores do not support SQL analysis. Query Logstores are suitable for scenarios in which the amount of data is large, the log retention period is long, or log analysis is not required. If logs are stored for weeks or months, the log retention period is considered long.

  • - name: aliyun_logs_catalina_logstoremode
      value: standard 
  • - name: aliyun_logs_catalina_logstoremode
      value: query 

To use this variable, make sure that the image version of the logtail-ds component is 1.3.1 or later.

Step 3: Query and analyze logs

  1. Log on to the Simple Log Service console.

  2. In the Projects section, click the project that you want to manage to go to the details page of the project.

    image

  3. In the left-side navigation pane, click the 图标 icon of the Logstore that you want to manage. In the drop-down list, select Search & Analysis to view the logs that are collected from your Kubernetes cluster.

    image

Default fields in container text logs

The following table describes the fields that are included by default in each container text log.

Field name

Description

__tag__:__hostname__

The name of the container host.

__tag__:__path__

The log file path in the container.

__tag__:_container_ip_

The IP address of the container.

__tag__:_image_name_

The name of the image that is used by the container.

__tag__:_pod_name_

The name of the pod.

__tag__:_namespace_

The namespace to which the pod belongs.

__tag__:_pod_uid_

The unique identifier (UID) of the pod.

References