All Products
Search

This Product

    Container Service for Kubernetes:Collect container logs (stdout/stderr or files) from Kubernetes clusters using the console

    Document Center

    Container Service for Kubernetes:Collect container logs (stdout/stderr or files) from Kubernetes clusters using the console

    Last Updated:Mar 26, 2026

    Deploy LoongCollector as a DaemonSet and configure collection rules in the Simple Log Service console to centralize container log collection—covering both stdout/stderr and file-based logs—with structured parsing, filtering, and indexing.

    Prerequisites

    Before you begin, make sure you have:

    • A Kubernetes cluster running version 1.10.0 or later with Mount propagation: HostToContainer support

    • A supported container runtime: Docker or containerd

      • Docker: access to docker.sock, JSON-type log driver, and overlay or overlay2 storage driver

      • containerd: access to containerd.sock

    • Sufficient cluster resources. LoongCollector runs with system-cluster-critical priority, which may evict existing pods if resources are tight:

      • CPU: at least 0.1 core reserved

      • Memory: at least 150 MB for the collection component and 100 MB for the controller component. Keep actual usage below 80% of the configured limit.

    • An Alibaba Cloud account or RAM user with the AliyunLogFullAccess permission

    To apply more granular permissions, copy the AliyunCSManagedLogRolePolicy system policy and assign the permissions to the target RAM user or role.

    Collection setup overview

    Step Action
    1 Install LoongCollector as a DaemonSet
    2 Create a Logstore to store logs
    3 Create and configure log collection rules (input, processing, filtering, categorization, output)
    4 Configure indexing for structured field queries
    5 Verify collection and troubleshoot if needed
    This guide covers DaemonSet mode, where one LoongCollector instance runs per node and collects from all containers on that node. For Sidecar mode, see Collect Kubernetes pod text logs (Sidecar mode).

    Step 1: Install LoongCollector

    LoongCollector is the next-generation log collection agent from Simple Log Service and replaces Logtail. Both agents cannot coexist. To install Logtail instead, see Install, run, upgrade, and uninstall Logtail.
    Note

    If the host machine time changes while LoongCollector is running, logs may be duplicated or lost.

    If LoongCollector or Logtail is already installed, skip this step and go to Step 2: Create a Logstore.

    ACK clusters

    Install LoongCollector through the Container Service for Kubernetes (ACK) console. Logs are sent to the Simple Log Service project under your current Alibaba Cloud account.

    After installation, Simple Log Service automatically creates the following resources:

    Resource type Resource name Purpose
    Project k8s-log-${cluster_id} Isolates logs from different workloads. To use a custom project, see Create a project.
    Machine group k8s-group-${cluster_id} Groups nodes for log collection.
    Logstore config-operation-log Stores logs from the loongcollector-operator component. It uses the same billing method as a standard Logstore. For details, see Billing items for the pay-by-ingested-data metering method. Do not delete this Logstore and do not create collection configurations in it.

    To install LoongCollector:

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. Click the target cluster name to open its details page.

    3. In the left navigation pane, click Add-ons.

    4. On the Logs and Monitoring tab, find loongcollector and click Install.

    Tip: When creating a new cluster, you can also select Enable Log Service under Component Configurations and choose to Create Project or Select Project.

    Self-managed Kubernetes clusters

    After installation, Simple Log Service automatically creates the following resources:

    Resource type Resource name Purpose
    Project Value of projectName in values.yaml Isolates logs from different workloads. To use a custom project, see Create a project.
    Machine group k8s-group-${cluster_id} Groups nodes for log collection.
    Logstore config-operation-log Stores logs from the loongcollector-operator component. It uses the same billing method as a standard Logstore. For details, see Billing items for the pay-by-ingested-data metering method. Do not delete this Logstore and do not create collection configurations in it.

    To install LoongCollector:

    1. Connect to your Kubernetes cluster and download the installation package for your region: Regions in the Chinese mainland:

      wget https://aliyun-observability-release-cn-shanghai.oss-cn-shanghai.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

      Regions outside China:

      wget https://aliyun-observability-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

    2. Go to the loongcollector-custom-k8s-package directory and edit ./loongcollector/values.yaml with your configuration:

      # ===================== Required fields =====================
# Project name for this cluster, for example, k8s-log-custom-sd89ehdq
projectName: ""
# Region of the project, for example, cn-shanghai for Shanghai
region: ""
# Alibaba Cloud account ID of the project owner. Enclose it in quotes, for example, "123456789"
aliUid: ""
# Network type. Valid values: Internet (public network) and Intranet (private network). Default value: Internet.
net: Internet
# AccessKey ID and AccessKey secret of the Alibaba Cloud account or RAM user. The account must have the AliyunLogFullAccess system policy.
accessKeyID: ""
accessKeySecret: ""
# Custom cluster ID. Only letters, digits, and hyphens (-) are allowed.
clusterID: ""

    3. From the loongcollector-custom-k8s-package directory, run the install command:

      bash k8s-custom-install.sh install

    4. Verify the installation. All LoongCollector pods should show Running status:

      If a pod fails to start, check that values.yaml is correctly configured and that the required images were pulled successfully.
      kubectl get po -n kube-system | grep loongcollector-ds

    Step 2: Create a Logstore

    A Logstore is the storage unit in Simple Log Service for collected logs.

    1. Log on to the Simple Log Service console and click the target project name.

    2. In the left navigation pane, select image Logstores and click + to create a Logstore:

      • Logstore name: Enter a unique name within the project. The name cannot be changed after creation.

      • Logstore type: Select Standard or Query based on your needs.

      • Billing mode:

        • Pay-by-feature (cannot be changed): Charges based on individual resources (storage, indexing, read/write). Suitable for small-scale scenarios or uncertain feature usage.

        • Pay-by-ingested-data: Charges based on raw data ingested. Includes 30 days of free storage and free data transformation and delivery. Suitable for scenarios with a retention period close to 30 days or complex processing pipelines.

      • Data retention period: Set the number of days to retain logs (1–3650 days; 3650 means permanent retention). The default is 30 days.

      • Keep other settings at their defaults and click OK. For more information, see Manage Logstores.

    Step 3: Configure log collection rules

    This step defines what LoongCollector collects, how to parse and filter it, and which machine group receives the configuration.

    3.1 Select a template and bind a machine group

    1. On the image Logstore page, click the image icon before the target Logstore name to expand it.

    2. Click Import Data next to the image icon. In the Quick Data Import dialog box, select a template based on your log source and click Integrate Now:

    3. Configure Machine Group Configurations and click Next:

      • Scenario: Select Docker Containers.

      • Deployment mode: Select ACK Daemonset or Self-managed Cluster in DaemonSet Mode.

      • In Source Machine Group, add k8s-group-${cluster_id} to Applied Machine Group.

    4. On the Logtail Configuration page, complete the settings described in the following sections and click Next.

    3.2 Global and input configuration

    Collect container stdout/stderr

    Global configurations:

    • Configuration name: Enter a unique name within the project. The name cannot be modified after creation. Use only lowercase letters, digits, hyphens (-), and underscores (_), starting and ending with a lowercase letter or digit.

    Input configuration:

    • Enable Stdout and Stderr or Standard Error (both enabled by default).

    Important

    Avoid enabling both standard output and standard error simultaneously, as this may cause log entries to intermix.

    Collect container text log files

    Global configurations:

    • Configuration name: Enter a unique name within the project. The name cannot be modified after creation. Use only lowercase letters, digits, hyphens (-), and underscores (_), starting and ending with a lowercase letter or digit.

    Input configuration:

    • File path type:

      • Path in container: Collect log files from inside the container.

      • Host path: Collect service logs from the host machine.

    • File path: Absolute path to the log files.

      • Linux: starts with /, for example, /data/mylogs/**/*.log collects all .log files in /data/mylogs and its subdirectories.

      • Windows: starts with a drive letter, for example, C:\Program Files\Intel\**\*.Log.

    • Maximum directory monitoring depth: The maximum depth matched by the ` wildcard in File path**. Default is 0` (current directory only). Valid range: 0–1000.

      Set this to 0 and specify the exact directory containing your log files for best performance.

    3.3 Log processing and structuring

    Before configuring processors, add a log sample: on the Logtail Configuration page, go to Processor Configurations, click Add Sample Log, and paste a representative log entry. The system uses the sample to auto-detect the format and generate parsing rules.

    Scenario 1: Multi-line logs (Java stack traces, Python tracebacks)

    By default, each line is collected as a separate log entry. When a single log spans multiple lines—such as a Java exception stack trace—enable multi-line mode to merge them into one complete record.

    Example:

    Raw log without processing Default mode (fragmented) Multi-line mode enabled (complete)
    image image image

    Configuration: On the Logtail Configuration page, go to Processor Configurations and enable Multi-line Mode:

    • Type: Choose Custom or Multi-line JSON.

      • Custom: For logs with varying formats. Set a Regex to match first line that identifies the start of each log entry.

        Option

        How to use

        Auto-generate

        In Log Sample, select the content to match, then click Auto-generate regular expression > Generate Regex.

        Manual input

        Click Manually enter regular expression, enter your expression, then click Validate.

        Example: For the Java stack trace above, the first-line regular expression is \[\d+-\d+-\w+:\d+:\d+,\d+]\s\[\w+]\s.*.

      • Multi-line JSON: For logs in standard JSON format. Simple Log Service automatically handles line breaks within each JSON object.

    • Processing method if splitting fails:

      • Discard: Drop any text that does not match the first-line rule.

      • Retain single line: Keep unmatched text as individual single-line logs.

    Scenario 2: Structured logs (NGINX, Apache, CSV, JSON)

    Parsing plugins convert raw unstructured or semi-structured logs into key-value pairs, enabling field-level queries and analysis.

    Example (NGINX log):

    Raw log Structured output
    192.168.*.* - - [15/Apr/2025:16:40:00 +0800] "GET /nginx-logo.png HTTP/1.1" 0.000 514 200 368 "-" "Mozilla/5.0..." remote_addr: 192.168.*.*<br>request_method: GET<br>request_uri: /nginx-logo.png<br>status: 200<br>request_time: 0.000<br>body_bytes_sent: 368

    Configuration: On the Logtail Configuration page, go to Processor Configurations:

    1. Click Add Processor and select a plugin matching your log format—for example, Native Processor > Data Parsing (NGINX Mode) for NGINX logs, or Data Parsing (Regex Mode) for custom formats.

    2. For NGINX logs, paste your log_format definition from nginx.conf exactly as-is into the NGINX Log Configuration field.

      Important

      The format definition must exactly match the format used on the server. A mismatch causes parsing failures.

      log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
                 '$request_time $request_length '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent"';

    3. Common parameters shared across parsing plugins:

      Parameter Description
      Source field The field to parse. Default is content (the entire raw log entry).
      Keep source field on parse failure Preserves the original log content when parsing fails. Enable this to prevent data loss.
      Keep source field on parse success Preserves the original log content alongside the parsed fields.

    For a full list of available processors, see Appendix: Native plugin details.

    3.4 Log filtering

    Filtering reduces storage costs, improves query speed, and limits exposure of sensitive data.

    Filter by content

    Collect only logs matching a specific field value—for example, only WARNING or ERROR level logs.

    Example:

    Raw logs Filtered output (WARNING and ERROR only)
    {"level":"WARNING",...,"message":"Disk space is running low"} {"level":"WARNING",...,"message":"Disk space is running low"}
    {"level":"ERROR",...,"message":"Failed to connect to database"} {"level":"ERROR",...,"message":"Failed to connect to database"}
    {"level":"INFO",...,"message":"User logged in successfully"} *(excluded)*

    Configuration: On the Logtail Configuration page, go to Processor Configurations. Click Add Processor and select Native Processor > Data Filtering:

    • Field name: The log field to filter on.

    • Field value: A regular expression for matching. Only full-text matching is supported—not partial keyword matching.

    Exclude paths and files with a blacklist

    A blacklist prevents specific directories or files from being collected—useful for excluding sensitive logs or irrelevant paths.

    Configuration: On the Logtail Configuration page, go to Input Configurations > Other Input Configurations. Enable Collection Blacklist and click Add.

    Wildcards support only the asterisk (*) and question mark (?).
    Blacklist type Example Effect
    File path blacklist /home/admin/private*.log Excludes all files in /home/admin/ starting with "private" and ending with ".log".
    File blacklist app_inner.log Excludes all files named app_inner.log anywhere under the monitored path.
    Directory blacklist /home/admin/dir* Excludes all files under subdirectories in /home/admin/ starting with "dir". Directory paths must not end with /.

    More directory blacklist examples:

    • /home/admin/*/dir: Excludes files in second-level subdirectories named "dir" (for example, /home/admin/a/dir is excluded, but /home/admin/a/b/dir is collected).

    Filter by container metadata

    Collect from only specific containers based on namespace, pod name, labels, or environment variables.

    Configuration: On the Logtail Configuration page, go to Input Configurations. Enable Container Filtering and click Add.

    Multiple conditions use an AND relationship. All regular expression matching uses Go's RE2 engine. See Appendix: Regular expression limits for syntax restrictions.
    Filter type Description
    Kubernetes namespace regular matching Collect from containers in matching namespaces.
    Kubernetes pod name regular matching Collect from containers in matching pods.
    Kubernetes container name regular matching Collect from containers with matching names.
    Kubernetes pod label whitelist/blacklist Include or exclude containers based on Kubernetes pod labels.
    Environment variable whitelist/blacklist Include or exclude containers based on environment variable values.
    Container label whitelist/blacklist For Docker environments only. Do not use in Kubernetes environments.

    Default behavior: When no container filtering is configured, LoongCollector collects from all containers. Add filters to restrict collection to specific containers.

    3.5 Log categorization

    When multiple applications share the same log format, it's hard to tell which application generated each log. Topics and tags attach identity metadata automatically.

    Configure a log topic

    Log topics distinguish log sources by machine group, file path, or a custom identifier.

    Configuration: Go to Global Configurations > Other Global Configurations > Log Topic Type:

    Topic type When to use Format
    Machine group topic Logs divided by host cluster LoongCollector uses the machine group name as __topic__.
    Custom Fixed business identifier customized://<topic name>, for example customized://app-login.
    File path extraction Multiple services write to paths with different prefixes but identical filenames Use a regular expression to extract key segments from the file path.

    File path extraction example:

    When multiple services write to paths like /data/logs/userA/serviceA/service.log and /data/logs/userB/serviceA/service.log, the filename alone cannot distinguish the source. Use file path extraction to capture userA or userB as the topic or tag.

    The number and naming of capturing groups determines the output format:

    Capturing groups Use case Output
    Single group: \/logs\/(.*?)\/app\.log One dimension (e.g., username) __topic__: userA
    Multiple unnamed groups: \/logs\/(.*?)\/(.*?)\/app\.log Multiple dimensions, no labels __tag__:__topic_1__: userA, __tag__:__topic_2__: svcA
    Multiple named groups: \/logs\/(?P<user>.*?)\/(?P<service>.*?)\/app\.log Multiple dimensions with field names __tag__:user: userA, __tag__:service: svcA
    In file path regular expressions, escape forward slashes (/).

    Attach log tags

    Log tags extract values from container environment variables or Kubernetes pod labels and attach them to logs for fine-grained grouping.

    Configuration: On the Logtail Configuration page, go to Input Configurations. Enable Log Tag Enrichment and click Add:

    • Environment variables: Specify an environment variable name and a tag name. The variable's value is stored under that tag name in the log.

    • Pod labels: Specify a Kubernetes pod label name and a tag name. The label's value is stored under that tag name in the log.

    3.6 Output configuration (multi-destination distribution)

    By default, all collected logs are sent to the current Logstore using lz4 compression. To route logs from the same source to multiple Logstores based on tag values, configure additional output targets.

    Important

    • Multi-destination distribution requires LoongCollector version 3.0.0 or later. Logtail does not support this feature.

    • A maximum of five output destinations can be configured.

    • After configuring multiple output destinations, this collection configuration no longer appears in the current Logstore's configuration list. To view, modify, or delete multi-destination configurations, see Manage multi-destination distribution configurations.

    Configuration: On the Logtail Configuration page, go to Output Configurations:

    1. Click image to expand output configuration.

    2. Click Add Output Targets and configure the following: An empty routing configuration sends all collected logs to that Logstore. For more information, see Manage LoongCollector collection tags.

      • Logstores: Select the target Logstore.

      • Compression method: Select lz4 or zstd.

      • Route settings: Route logs based on tag field values.

        • Tag name: Enter the field name directly (for example, __path__) without the __tag__: prefix.

          • Agent-related tags (independent of plugins): __hostname__, __user_defined_id__

          • Input plugin tags: __path__ (file collection), _pod_name_, _container_name_ (Kubernetes collection)

        • Tag value: Logs whose tag field value matches this string are sent to the target Logstore.

        • Discard this tag?: When enabled, the routing tag field is stripped from uploaded logs.

    Step 4: Configure indexing

    After configuring log processing, click Next to open the Query and Analysis Configurations page:

    • Full-text index is enabled by default, supporting keyword searches across raw log content.

    • To query by specific field, click Automatic Index Generation after Preview Data loads. Simple Log Service generates a field index based on the first entry in the preview.

    Click Next to complete the collection setup.

    Step 5: Verify collection

    After applying the collection configuration to a machine group, the system deploys the configuration automatically and begins collecting incremental logs.

    Check that logs are arriving

    1. Confirm new log entries exist: LoongCollector only collects incremental logs. Run the following command and trigger a business operation to generate new log entries:

      tail -f /path/to/your/log/file

    2. Query logs in the console: Go to the Logstore's query and analysis page and click Search & Analyze. The default time range is the last 15 minutes. To quickly verify collection, run this query to check for recent log entries:

      Field name Description
      __tag__:__hostname__ Name of the container's host.
      __tag__:__path__ Path of the log file in the container.
      __tag__:_container_ip_ IP address of the container.
      __tag__:_image_name_ Name of the container image.
      __tag__:_pod_name_ Name of the pod.
      __tag__:_namespace_ Namespace of the pod.
      __tag__:_pod_uid_ Unique identifier (UID) of the pod. 
      * | SELECT __time__, __tag__:_pod_name_, __tag__:_namespace_, content LIMIT 20

      To filter by a specific pod:

      * | SELECT * WHERE __tag__:_pod_name_ LIKE 'your-pod-name%' LIMIT 20

      Each collected container text log includes the following fields by default:

    Troubleshooting

    Machine group heartbeat failure

    1. Check user identity: If the server is not an Elastic Compute Service (ECS) instance, or the ECS instance and project belong to different Alibaba Cloud accounts, create the user identity file: If a file named with the project's Alibaba Cloud account ID exists at the path, the identity is configured correctly.

      • Linux: cd /etc/ilogtail/users/ && touch <uid>

      • Windows: Create an empty file named <uid> in C:\LogtailData\users\

    2. Check machine group identity: If you use a custom identifier-based machine group, verify that a user_defined_id file exists with the correct content:

      • Linux: echo "user-defined-1" > /etc/ilogtail/user_defined_id

      • Windows: Create user_defined_id in C:\LogtailData\ and write the custom ID to the file.

    3. For further troubleshooting, see Troubleshoot LoongCollector machine group issues.

    Log parsing errors

    This issue occurs when log content does not match the configured parsing rule.

    1. On the Logtail Configuration page, click the name of the affected configuration.

    2. On the Log Collection Error tab, click Select Time Range to set a query window.

    3. Review the alarm metric and refer to Common errors during data collection for solutions.

    No logs collected from a container

    1. Check that new log entries exist. LoongCollector does not collect a log file unless new entries are added after the configuration takes effect.

    2. Check the Logtail operational log: Find the LoongCollector pod:

      kubectl get po -n kube-system | grep logtail

      The output is similar to:

      logtail-ds-****d    1/1    Running    0    8d
logtail-ds-****8    1/1    Running    0    8d

      Open a shell in the pod:

      kubectl exec -it -n kube-system logtail-ds-****d -- bash

      View the operational logs (stored in /usr/local/ilogtail/):

      cd /usr/local/ilogtail
cat ilogtail.LOG
cat logtail_plugin.LOG

      Check for alarm metrics and refer to Common error types for data collection.

    3. Check machine group heartbeat: Go to Resource Group > Machine Groups and click the target machine group name. Under Machine Group Status, check the Heartbeat column. Then compare the heartbeat node count with the actual worker node count:

      • All nodes show failed heartbeat (self-managed cluster): Verify that regionId, aliuid, access-key-id, and access-key-secret are correctly set in values.yaml. If any are incorrect, run helm del --purge alibaba-log-controller to remove the existing installation, then reinstall LoongCollector.

      • Fewer nodes than expected show a healthy heartbeat: Check whether you deployed the DaemonSet manually using a YAML file. If so, download the latest DaemonSet template, replace the placeholder values, and apply it: ``bash kubectl apply -f ./logtail-daemonset.yaml ``

      kubectl get node | grep -v master

      Expected output:

      NAME                                 STATUS    ROLES     AGE       VERSION
cn-hangzhou.i-bp17enxc2us3624wexh2   Ready     <none>    238d      v1.10.4
cn-hangzhou.i-bp1ad2b02jtqd1shi2ut   Ready     <none>    220d      v1.10.4

    4. Check container filtering conditions: In the Simple Log Service console, review the collection configuration. Verify that IncludeLabel, ExcludeLabel, IncludeEnv, and ExcludeEnv match your collection requirements. These labels refer to Docker container labels (from docker inspect), not Kubernetes labels. To isolate whether a filter is the issue, temporarily remove all filter conditions and check whether logs appear.

    What's next

    FAQ

    Manage multi-destination distribution configurations

    Multi-destination configurations are associated with multiple Logstores, so manage them at the project level:

    1. Log on to the Simple Log Service console and click the target project.

    2. In the left navigation pane, click image Resource Group > Configurations.

    This page centralizes all collection configurations in the project, including configurations that remain after their Logstores were accidentally deleted.

    Send ACK cluster logs to a project in a different Alibaba Cloud account

    Manually install LoongCollector in the ACK cluster and configure it with the destination account's ID and AccessKey credentials. This sends logs to a Simple Log Service project under a different Alibaba Cloud account—useful for organizational separation, permission isolation, or centralized monitoring.

    Follow the self-managed cluster installation steps above, setting aliUid, accessKeyID, and accessKeySecret to the values for the destination account.

    For information about installing Logtail instead, see Logtail installation and configuration.

    Allow multiple configurations to collect the same log source

    By default, each log source can only match one collection configuration:

    • A text log file can match only one Logtail configuration.

    • A container's stdout can only be collected by one new-template configuration by default. (Legacy-template configurations support multiple collection copies without extra configuration.)

    To allow multiple configurations to collect the same source:

    1. Log on to the Simple Log Service console. Go to the target project.

    2. In the left navigation pane, select image Logstores, find the target Logstore, and click image to expand it.

    3. Click Logtail Configuration, find the target configuration, and click Manage Logtail Configuration in the Actions column.

    4. On the configuration page, click Edit and scroll to Input Configurations:

      • For text log files: enable Allow File to Be Collected for Multiple Times.

      • For container stdout: enable Allow Collection by Different Logtail Configurations.

    Dependency error when uninstalling the loongcollector (logtail-ds) component in ACK

    Problem: Uninstalling the loongcollector (logtail-ds) component fails with:

    Dependencies of addons are not met: terway-eniip depends on logtail-ds(>0.0) whose version is v3.x.x.x-aliyun or will be v3.x.x.x-aliyun

    Cause: The terway-eniip network plugin has log collection enabled and depends on loongcollector (logtail-ds). Remove the dependency before uninstalling:

    1. Log on to the ACK console.Container Service for Kubernetes consoleSimple Log Service console

    2. Click the target cluster name and go to its details page.

    3. In the left navigation pane, click Add-ons.

    4. Find terway-eniip and click Disable Logging.

    5. Click OK in the dialog box.

    6. After the change takes effect, uninstall the loongcollector (logtail-ds) component.

    Why is the last log segment delayed or truncated?

    Log truncation occurs when a log file lacks a trailing newline or a multi-line log is not fully written before collection.

    Behavior by version:

    • Versions earlier than 1.8: LoongCollector waits for the next write to trigger output, which may delay the last log entry indefinitely.

    • Versions 1.8 and later: A timeout mechanism automatically submits incomplete content after 60 seconds (default). Adjust this value if needed, but do not set it to 0—doing so causes truncation.

    To extend the flush timeout:

    1. Log on to the Simple Log Service console. Go to the target project and Logstore.

    2. Find the target Logtail configuration and click Manage Logtail Configuration.

    3. Click Edit, then go to Input Configurations > Other Input Configurations > Advanced Parameters.

    4. Add the following JSON:

      {
  "FlushTimeoutSecs": 1
}

      The default value is determined by the default_reader_flush_timeout startup parameter (usually a few seconds). Set the value to at least 1 second. The unit is seconds.

    5. Click OK.

    Why does LoongCollector switch from private network to public network during runtime?

    When LoongCollector detects abnormal private network communication (network unavailability or connection timeouts), it automatically switches to the public network endpoint to prevent log loss.

    • LoongCollector: Automatically switches back to the private network when connectivity recovers.

    • Logtail: Does not switch back automatically. Restart Logtail manually to restore private network communication.

    Appendix: Native plugin details

    Add native processors in the Processor Configurations section of the Logtail Configuration page. To add a processor to an existing configuration:

    1. In the left navigation pane, select image Logstores and find the target Logstore.

    2. Click the image icon to expand the Logstore.

    3. Click Logtail Configuration, find the target configuration, and click Manage Logtail Configuration.

    4. Click Edit.

    For additional processing plugins not listed here, see Extended processors.
    Important

    Plugin combination rules (LoongCollector and Logtail 2.0 and later):

    • Native and extended processors can be combined freely. Prioritize native processors—they offer better performance and stability.

    • Add extended processors only after all native processors. Once an extended processor is added, no more native processors can be appended.

    • All plugins execute sequentially in the order configured.

    Regular expression parsing

    Extract log fields using regular expressions and parse logs into key-value pairs.

    Example:

    Raw log Parsed output
    127.0.0.1 - - [16/Aug/2024:14:37:52 +0800] "GET /wp-admin/admin-ajax.php HTTP/1.1" 200 41 ... remote_addr: 127.0.0.1<br>request_method: GET<br>request_uri: /wp-admin/admin-ajax.php<br>status: 200<br>body_bytes_sent: 41

    Configuration: Click Add Processor and select Native Processor > Data Parsing (Regex Mode):

    • Regular expression: Match logs using a regular expression.

      • Auto-generate: click Generate Regular Expression automatically, select the content to extract in Log Sample, and click Generate Regular Expression. See screenshot: image

      • Manual input: click Manually enter a regular expression, enter your expression, then click Validate.

    • Extracted field: Map each captured group to a field name (Key).

    • For shared parameters, see Scenario 2: Structured logs.

    Delimiter parsing

    Split log fields by a separator character and map each column to a field name.

    Example (comma-delimited):

    Raw log Parsed output
    05/May/2025:13:30:28,10.10.*.*,"POST /PutData HTTP/1.1",200,18204,aliyun-sdk-java time: 05/May/2025:13:30:28<br>ip: 10.10.*.*<br>request: POST /PutData HTTP/1.1<br>status: 200<br>size: 18204<br>user_agent: aliyun-sdk-java

    Configuration: Click Add Processor and select Native Processor > Data Parsing (Delimiter Mode):

    • Delimiter: The character used to split log fields. For CSV files, select Custom and enter a comma (,).

    • Quote: Enclose field values containing a delimiter to prevent incorrect splitting.

    • Extracted field: Map each column to a field name in order. Field names can only contain letters, numbers, and underscores, must start with a letter or underscore, and have a maximum length of 128 bytes.

    • For shared parameters, see Scenario 2: Structured logs.

    Standard JSON parsing

    Parse flat JSON logs into key-value pairs.

    Example:

    Raw log Parsed output
    {"url": "POST /PutData HTTP/1.1", "ip": "10.200.98.220", "user-agent": "aliyun-sdk-java", "time": "05/Jan/2025:13:30:28"} url: POST /PutData HTTP/1.1<br>ip: 10.200.98.220<br>user-agent: aliyun-sdk-java<br>time: 05/Jan/2025:13:30:28

    Configuration: Click Add Processor and select Native Processor > Data Parsing (JSON Mode):

    Nested JSON parsing

    Flatten deeply nested JSON objects into key-value pairs by specifying an expansion depth.

    Example:

    Raw log Depth 0 (full expansion) Depth 1
    {"s_key":{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}} 0_s_key_k1_k2_k3_k41: 41<br>0_s_key_k1_k2_k3_k4_k51: 51<br>0_s_key_k1_k2_k3_k4_k52: 52 1_s_key: {"k1":{"k2":...}}

    Configuration: Click Add Processor and select Extended Processor > Expand JSON Field:

    • Original field: The source field to expand (for example, content).

    • JSON expansion depth: 0 means full expansion (default); 1 means the top level only.

    • Character to concatenate expanded keys: Separator for expanded field names. Default is underscore (_).

    • Name prefix of expanded keys: Prefix for all expanded field names.

    • Expand array: Enable to expand arrays into indexed key-value pairs. For example, {"k":["a","b"]} expands to {"k[0]":"a","k[1]":"b"}.

    To rename expanded fields, add a Rename Fields plugin after this one.

    JSON array parsing

    Extract JSON objects from a JSON array using the json_extract function.

    Example:

    Raw log Parsed output
    [{"key1":"value1"},{"key2":"value2"}] json1: {"key1":"value1"}<br>json2: {"key2":"value2"}

    Configuration: In the Logtail Configuration area, switch the Processing Method to SPL and enter an SPL statement using the json_extract function.

    Example: Extract elements from the content field array and store them in json1 and json2:

    * | extend json1 = json_extract(content, '$[0]'), json2 = json_extract(content, '$[1]')

    Apache log parsing

    Parse Apache access logs using the format definition from your Apache configuration file.

    Example:

    Raw log Parsed output
    192.168.1.10 - - [08/May/2024:15:30:28 +0800] "GET /index.html HTTP/1.1" 200 1234 ... remote_addr: 192.168.1.10<br>request_method: GET<br>request_uri: /index.html<br>status: 200<br>response_size_bytes: 1234

    Configuration: Click Add Processor and select Native Processor > Data Parsing (Apache Mode):

    • Log format: Select combined.

    • APACHE LogFormat configuration: The system auto-populates based on the selected format.

    Important

    Verify the auto-filled content matches the LogFormat in your Apache configuration file (typically /etc/apache2/apache2.conf).

    Data masking

    Mask sensitive values in logs before they are stored.

    Example:

    Raw log After masking
    [{'account':'1812213231432969','password':'04a23f38'}] [{'account':'1812213231432969','password':'********'}]

    Configuration: Click Add Processor and select Native Processor > Data Masking:

    • Original field: The field containing the content to mask.

    • Data masking method:

      • const: Replace sensitive content with a fixed string.

      • md5: Replace sensitive content with its MD5 hash.

    • Replacement string: The replacement string when using the const method.

    • Content expression that precedes replaced content: Identifies the context before the sensitive content. Uses RE2 syntax.

    • Content expression to match replaced content: Matches the sensitive content. Uses RE2 syntax.

    Time parsing

    Parse a time field and set the result as the __time__ field for the log.

    Example:

    Raw log Parsed result
    {"level":"INFO","timestamp":"2025-09-23T19:11:47+0800","message":"User logged in"} image

    Configuration: Click Add Processor and select Native Processor > Time Parsing:

    • Original field: The field containing the raw time value.

    • Time format: The format string matching your log's time content. See Time formats.

    • Time zone: The time zone of the log time field. Defaults to the time zone of the machine running LoongCollector.

    Appendix: Regular expression limits (container filtering)

    Container filtering uses Go's RE2 engine, which has fewer features than PCRE. Note the following differences:

    1. Named group syntax

    Go uses (?P<name>...) for named groups. The PCRE syntax (?<name>...) is not supported.

    • Correct: (?P<year>\d{4})

    • Incorrect: (?<year>\d{4})

    2. Unsupported features

    The following are not available in RE2:

    • Lookahead and lookbehind assertions: (?=...), (?!...), (?<=...), (?<!...)

    • Conditional expressions: (?(condition)true|false)

    • Recursive matching: (?R), (?0)

    • Subroutine references: (?&name), (?P>name)

    • Atomic groups: (?>...)

    3. Validation

    When testing regular expressions with tools such as Regex101, select Golang (RE2) mode to ensure compatibility.

    Appendix: Comparison of new and legacy stdout versions

    The new stdout collection template stores container metadata in the __tag__ field instead of embedding it directly in log content, improving storage efficiency and aligning the format with file collection.

    Core advantages of the new template

    Dimension New version Legacy version
    Performance Refactored in C++; 180%–300% faster than the Go-based legacy version. Supports native plugins and multi-threading. Go-based; lower throughput.
    Reliability Supports stdout log rotation queuing, unified with file collection for high reliability during rapid rotation. Less reliable under rapid rotation.
    Resource usage CPU and memory usage reduced by 20%–25%. Higher resource usage.
    Configuration Parameters are consistent with the file collection plugin. Separate parameter set.

    Metadata storage format

    Feature Legacy version New version
    Storage method Metadata embedded directly as regular log fields. Metadata stored centrally in the __tag__ field.
    Storage efficiency Each log carries full metadata repeatedly. Multiple logs in the same context reuse metadata.
    Format consistency Inconsistent with file collection format. Fully aligned with file collection.
    Query access Direct field name, for example _container_name_. Accessed through __tag__, for example __tag__:_container_name_.

    Field mapping

    Legacy field name New field name
    _container_ip_ __tag__:_container_ip_
    _container_name_ __tag__:_container_name_
    _image_name_ __tag__:_image_name_
    _namespace_ __tag__:_namespace_
    _pod_name_ __tag__:_pod_name_
    _pod_uid_ __tag__:_pod_uid_
    Query SQL has been automatically updated for compatibility, so existing query statements work with both old and new format logs simultaneously.

    More information

    Global configuration parameters

    Parameter Description
    Configuration name Must be unique within the project. Cannot be modified after creation.
    Log topic type How topics are generated: machine group topic, file path extraction, or custom.
    Advanced parameters See CreateLogtailPipelineConfig for additional global configuration options.

    Input configuration parameters

    Parameter Description
    Logtail deployment mode DaemonSet: One LoongCollector per node, collecting from all containers on that node. Sidecar: One LoongCollector per pod, collecting from all containers in that pod.
    File path type Path in container: Collect text log files from inside containers. Host path: Collect service logs from cluster nodes.
    File path Absolute path on the host. Linux paths start with /; Windows paths start with a drive letter. Supports * and ? wildcards and recursive ** matching.
    Maximum directory monitoring depth Maximum depth matched by ** in the file path. 0 means the current directory only.
    Standard output Enable Stdout and Stderr to collect container stdout.
    Standard error Enable Standard Error to collect container stderr.
    Allow multiple standard output collection Enable Allow File to Be Collected for Multiple Times to allow multiple new-template configurations to collect the same container's stdout.
    Container filtering Filter containers by namespace, pod name, labels, or environment variables. Container labels come from Docker inspect, not Kubernetes. Use Kubernetes-level filters (namespace, pod label, container name) in Kubernetes environments.
    Log tag enrichment Attach environment variable values or Kubernetes pod label values to logs as tag fields.
    File encoding Encoding format for log files.
    Initial collection size Size from the end of file where collection starts on first activation. Default is 1,024 KB. If the file is smaller than 1,024 KB, collection starts from the beginning. Valid range: 0–10,485,760 KB.
    Collection blacklist Exclude specific directories or files. Supports * and ? wildcards. Keep entries under 10 to minimize overhead. Directory paths must not end with /.
    Allow multiple file collection Enable Allow File to Be Collected for Multiple Times to allow multiple configurations to collect the same text file.
    Advanced parameters See CreateLogtailPipelineConfig for additional file input plugin options.

    Processing configuration parameters

    Parameter Description
    Log sample A representative log entry (up to 1,500 characters total across all samples). Used to auto-generate parsing rules.
    Multiline mode Configure how multi-line logs are identified and merged. Options: Custom (regex-based) or Multi-line JSON. Set the handling for unmatched content: Discard or Retain Single Line.
    Processing mode Native Processor and Extended Processor. Native processors must precede extended processors. Refer to Native and extension processing plugin usage for details and combination rules.