Install Logtail in DaemonSet mode to collect text logs from a self-managed Kubernetes cluster - Container Service for Kubernetes

Simple Log Service allows you to install Logtail in DaemonSet or Sidecar mode and use Logtail to collect text logs from a Kubernetes cluster. For more information about the differences between the modes, see Install Logtail to collect logs from a Kubernetes cluster. This topic describes how to install Logtail in DaemonSet mode and use Logtail to collect text logs from a self-managed Kubernetes cluster.

Prerequisites

Simple Log Service is activated.
A cluster of Kubernetes 1.6 or later is available.
The kubectl command-line tool is installed in your Kubernetes cluster.

Usage notes

You can collect stdout and stderr from a Kubernetes cluster. For more information, see Install Logtail in DaemonSet mode to collect stdout and stderr from a self-managed Kubernetes cluster (old version).
You can collect text logs from a Container Service for Kubernetes (ACK) cluster. For more information, see Install Logtail in DaemonSet mode to collect text logs from an ACK cluster.

Solution overview

You can perform the following steps to install Logtail in DaemonSet mode and use Logtail to collect text logs from a self-managed Kubernetes cluster:

Install Logtail components: Install Logtail components in your Kubernetes cluster. The Logtail components include DaemonSet logtail-ds, ConfigMap alibaba-log-configuration, and Deployment alibaba-log-controller. After the Logtail components are installed, Simple Log Service can deliver a Logtail configuration to Logtail and use Logtail to collect logs from the Kubernetes cluster.
Create a Logtail configuration: After a Logtail configuration is created, Logtail collects incremental logs based on the Logtail configuration, and processes and uploads the collected logs to the created Logstore. You can create a Logtail configuration by using CRD - AliyunPipelineConfig or CRD - AliyunLogConfig, or in the Simple Log Service console. CRD - AliyunPipelineConfig is recommended.
Query and analyze logs: After a Logtail configuration is created, Simple Log Service automatically creates a Logstore to store the collected logs. You can view the logs in the Logstore.

Step 1: Install Logtail

Important

The alibaba-log-controller component is available only in Kubernetes 1.6 and later.
Make sure that the kubectl command-line tool is installed on the machine on which you want to run commands.

Log on to the Simple Log Service console and create a project.
We recommend that you create a project whose name starts with k8s-log-. Example: k8s-log-${your_k8s_cluster_id}.

Log on to your Kubernetes cluster and run the following commands to install Logtail and the required dependent components:

Download and decompress the installation package:

Chinese mainland

wget https://logtail-release-cn-hangzhou.oss-cn-hangzhou.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Outside the Chinese mainland

wget https://logtail-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Modify the ./alibaba-cloud-log-all/values.yaml configuration file:

# ===================== Required settings =====================
# The name of the project. 
SlsProjectName: 
# The ID of the region where the project resides. 
Region: 
# The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks (""). 
AliUid: "11**99"
# The AccessKey ID and AccessKey secret of the Alibaba Cloud account or Resource Access Management (RAM) user. The RAM user must have the AliyunLogFullAccess permission. 
AccessKeyID: 
AccessKeySercret: 
# The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-). 
ClusterID: 
# ==========================================================
# Specifies whether to enable metric collection for the related components. Valid values: true and false. Default value: true. 
SlsMonitoring: true
# The network type. Valid values: Internet and Intranet. Default value: Internet. 
Net: Internet
# Specifies whether the container runtime of the cluster is containerd. Valid values: true and false. Default value: false. 
SLS_CONTAINERD_USED: true

The following table describes the parameters that are included in the preceding command. You can configure the parameters based on your business requirements.

Parameter	Description
`SlsProjectName`	The name of the created project.
`Region`	The ID of the region where the project resides. For example, the ID of the China (Hangzhou) region is `cn-hangzhou`. For more information, see Supported regions.
`AliUid`	The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks (""). Example: `AliUid: "11**99"`. For more information, see Obtain the ID of the Alibaba Cloud account to which your Simple Log Service project belongs.
`AccessKeyID`	The AccessKey ID of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.
`AccessKeySercret`	The AccessKey secret of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.
`ClusterID`	The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-). This parameter corresponds to the `${your_k8s_cluster_id}` variable in the following operations. Important Do not specify the same cluster ID for different Kubernetes clusters.
`SlsMonitoring`	Specifies whether to enable metric collection for the related components. Valid values: true (default) false
`Net`	The network type. Valid values: Internet (default) Intranet
`SLS_CONTAINERD_USED`	Specifies whether the container runtime of the cluster is containerd. Valid values: true false (default) Important If you do not enable the parameter settings for a self-managed Kubernetes cluster whose container runtime is containerd, Logtail may fail to collect logs.

Install Logtail and the required components.
Note
Run the command echo "$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m)" to find out your host's OS-architecture. k8s-custom-install.sh supports the following OS-architectures: linux-386, linux-amd64, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, and darwin-amd64. If you have other requirements, submit a ticket.
```
bash k8s-custom-install.sh; kubectl apply -R -f result
```

The following table describes the Simple Log Service resources that are automatically created after you install Logtail and the required components.

Important

If you install Logtail and the required dependent components in a self-managed Kubernetes cluster, Logtail is automatically granted the privileged permissions. This prevents the container text file busy error that may occur when other pods are deleted. For more information, see Bug 1468249, Bug 1441737, and Issue 34538.

Resource type	Resource name	Description	Example
Machine group	k8s-group-`<YOUR_CLUSTER_ID>`	The machine group of logtail-daemonset, which is used in log collection scenarios.	k8s-group-my-cluster-123
	k8s-group-`<YOUR_CLUSTER_ID>`-statefulset	The machine group of logtail-statefulset, which is used in metric collection scenarios.	k8s-group-my-cluster-123-statefulset
	k8s-group-`<YOUR_CLUSTER_ID>`-singleton	The machine group of a single instance, which is used to create a Logtail configuration for the single instance.	k8s-group-my-cluster-123-singleton
Logstore	config-operation-log	The logstore is used to store logs of the alibaba-log-controller component. We recommend that you do not create a Logtail configuration for the logstore. You can delete the logstore. After the logstore is deleted, the system no longer collects the operational logs of the alibaba-log-controller component. You are charged for the logstore in the same manner as you are charged for regular logstores. For more information, see Billable items of pay-by-ingested-data.	None

Step 2: Create a Logtail configuration

The following table describes the methods that you can use to create a Logtail configuration. We recommend that you use only one method to manage a Logtail configuration.

Configuration method	Configuration description	Scenario
CRD - AliyunPipelineConfig (recommended)	Use the AliyunPipelineConfig CRD, which is a Kubernetes CRD, to manage a Logtail configuration.	Suitable for scenarios in which complex collection and processing, and version consistency between the Logtail configuration and the Logtail container in a self-managed Kubernetes cluster are required. Note The version of Logtail components must be later than 0.5.1. For more information about Logtail updates, see Update Logtail.
Simple Log Service console	Manage a Logtail configuration in the GUI based on quick deployment and configuration.	Suitable for scenarios in which simple settings are required to manage a Logtail configuration. If you use this method to manage a Logtail configuration, specific advanced features and custom settings cannot be used.
CRD - AliyunLogConfig	Use the AliyunLogConfig CRD, which is an old version CRD, to manage a Logtail configuration.	Suitable for known scenarios in which Logtail configurations can be managed by using the old version CRD. You must gradually replace the AliyunLogConfig CRD with the AliyunPipelineConfig CRD to obtain better extensibility and stability. For more information about the differences between the CRD - AliyunPipelineConfig and CRD - AliyunLogConfig methods, see CRDs.

CRD - AliyunPipelineConfig (recommended)

To create a Logtail configuration, you need to only create a Custom Resource (CR) from the AliyunPipelineConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

If you create a Logtail configuration by creating a CR and you want to modify the Logtail configuration, you can only modify the CR. If you modify the Logtail configuration in the Simple Log Service console, the new settings are not synchronized to the CR.

Log on to your Kubernetes cluster.

Create a file named example-k8s-file.yaml.

You can use the Logtail configuration generator to generate a YAML script used to create a Logtail configuration for your scenario, or manually write a YAML script based on the following example.

The following code provides an example of a YAML file used to collect text logs from the test.LOG file in the /data/logs/app_1 directory of pods labeled with app: ^(.*test.*)$ in the default namespace in multi-line mode to the automatically created k8s-file logstore in the k8s-log-test project. Modify the following parameters in the YAML file as needed:

project: Example: k8s-log-test.
Log on to the Simple Log Service console. Check the name of the project generated after Logtail is installed. In most cases, the project name is in the k8s-log-<YOUR_CLUSTER_ID> format.
IncludeK8sLabel: The label used to filter pods. Example: app: ^(.*test.*)$. In this example, logs in the pods whose label key is app and label value contains test are collected.
Note
To collect logs in pods whose names contain test in your cluster, replace the IncludeK8sLabel parameter with the K8sContainerRegex parameter and use wildcard characters to specify a value for the K8sContainerRegex parameter. Example: K8sContainerRegex: ^(.test.)$.
FilePaths: Example: /data/logs/app_1/**/test.LOG. For more information, see File path mapping for containers.
Endpoint and Region: Example for the Endpoint parameter: ap-southeast-1.log.aliyuncs.com. Example for the Region parameter: ap-southeast-1.

The value of the config parameter includes the types of input, output, and processing plug-ins and container filtering methods. For more information, see PipelineConfig. For more information about the complete parameters in the YAML file, see CR parameters.

apiVersion: telemetry.alibabacloud.com/v1alpha1
kind: ClusterAliyunPipelineConfig
metadata:
  # Specify the name of the resource. The name must be unique in the current Kubernetes cluster. The name is the same as the name of the created Logtail configuration. If the resource name already exists, the name does not take effect.
  name: example-k8s-file
spec:
  # Specify the name of the project.
  project:
    name: k8s-log-test
  logstores:
    # Create a logstore named k8s-file.
    - name: k8s-file
  # Create a Logtail configuration.
  config:
    # Enter a sample log. You can leave this parameter empty.
    sample: |
      2024-06-19 16:35:00 INFO test log
      line-1
      line-2
      end
    # Specify the input plug-in.
    inputs:
      # Use the input_file plug-in to collect multi-line text logs from containers.
      - Type: input_file
        # Specify the file path in the containers.
        FilePaths:
          - /data/logs/app_1/**/test.LOG
        # Enable the container discovery feature.
        EnableContainerDiscovery: true
        # Add conditions to filter containers. Multiple conditions are evaluated by using a logical AND.
        CollectingContainersMeta: true
        ContainerFilters:
          # Specify the namespace of the pods to which the required containers belong. Regular expression matching is supported.
          K8sNamespaceRegex: default
          # Specify the name of the required containers. Regular expression matching is supported.
          IncludeK8sLabel:
            app: ^(.*app.*)$
        # Enable multi-line log collection. If you want to collect single-line logs, delete this parameter.
        Multiline:
          # Specify the custom mode to match the beginning of the first line of a log based on a regular expression.
          Mode: custom
          # Specify the regular expression that is used to match the beginning of the first line of a log.
          StartPattern: '\d+-\d+-\d+\s\d+:\d+:\d+'
    # Specify the processing plug-in.
    processors:
      # Use the processor_parse_regex_native plug-in to parse logs based on the specified regular expression.
      - Type: processor_parse_regex_native
        # Specify the name of the original field.
        SourceKey: content
        # Specify the regular expression that is used for parsing. Use capturing groups to extract fields.
        Regex: (\d+-\d+-\d+\s\S+)(.*)
        # Specify the fields that you want to extract.
        Keys: ["time", "detail"]
    # Specify the output plug-in.
    flushers:
      # Use the flusher_sls plug-in to deliver logs to a specific logstore.
      - Type: flusher_sls
        # Make sure that the logstore exists.
        Logstore: k8s-file
        # Make sure that the endpoint is valid.
        Endpoint: ap-southeast-1.log.aliyuncs.com
        Region: ap-southeast-1
        TelemetryType: logs

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you create. Then, Logtail starts to collect container text logs to Simple Log Service.

CRD - AliyunLogConfig

To create a Logtail configuration, you need to only create a CR from the AliyunLogConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

Log on to your Kubernetes cluster.

Create a file named example-k8s-file.yaml.

The following code provides an example of a YAML file used to create a Logtail configuration named example-k8s-file. You can use the Logtail configuration to collect text logs from the test.LOG file in the /data/logs/app_1 directory of the containers whose names start with app in your cluster in simple mode to the automatically created k8s-file logstore in the k8s-log-<YOUR_CLUSTER_ID> project.

You can modify the log file path in the example based on your business requirements. For more information, see File path mapping for containers.

logPath: The log file path. Example: /data/logs/app_1.
filePattern: The name of the file from which you want to collect logs. Example: test.LOG.

The logtailConfig parameter specifies the Logtail details, which include the types of input, output, and processing plug-ins and container filtering methods. For more information, see AliyunLogConfigDetail. For more information about the complete parameters in the YAML file, see CR parameters.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # Specify the name of the resource. The name must be unique in the current Kubernetes cluster.
  name: example-k8s-file
  # Specify the namespace to which the resource belongs.
  namespace: kube-system
spec:
  # Specify the name of the project. If you leave this parameter empty, the project named k8s-log-<your_cluster_id> is used.
  # project: k8s-log-test
  # Specify the name of the logstore. If the specified logstore does not exist, Simple Log Service automatically creates a logstore.
  logstore: k8s-file
  # Create a Logtail configuration.
  logtailConfig:
    # Specify the type of the data source. If you want to collect text logs, set the value to file.
    inputType: file
    # Specify the name of the Logtail configuration. The name must be the same as the resource name that is specified by metadata.name.
    configName: example-k8s-file
    inputDetail:
      # Specify the settings that allow Logtail to collect text logs in simple mode.
      logType: common_reg_log
      # Specify the log file path.
      logPath: /data/logs/app_1
      # Specify the log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log.
      filePattern: test.LOG
      # If you want to collect text logs from containers, set the value to true.
      dockerFile: true
      # Enable multi-line log collection. If you want to collect single-line logs, delete this parameter.
      # Specify the regular expression to match the beginning of the first line of a log.
      logBeginRegex: \d+-\d+-\d+.*
      # Specify the conditions to filter containers.
      advanced:
        k8s:
          K8sPodRegex: '^(app.*)$'

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you create. Then, Logtail starts to collect container text logs to Simple Log Service.

Simple Log Service console

Note

This method is suitable for scenarios in which simple settings are required to manage a Logtail configuration without the need to log on to a Kubernetes cluster. You cannot batch create Logtail configurations by using this method.

Log on to the Simple Log Service console.
In the Projects section, click the project that you use to install Logtail components. Example: k8s-log-<your_cluster_id>. On the page that appears, click the Logstore that you want to manage and then click Logtail Configurations. On the Logtail Configuration page, click Add Logtail Configuration. In the Quick Data Import dialog box, find the Kubernetes - File card and click Integrate Now.
In the Machine Group Configurations step of the Import Data wizard, set the Scenario parameter to Kubernetes Clusters and the Deployment Method parameter to ACK Daemonset, select the k8s-group-${your_k8s_cluster_id} machine group and click the > icon to move the machine group from the Source Machine Group section to the Applied Server Groups section, and then click Next.
Create a Logtail configuration. In the Logtail Configuration step of the Import Data wizard, configure the required parameters and click Next. Approximately 1 minute is required to create a Logtail configuration.
The following list describes the main parameter settings. For more information, see Create a Logtail configuration.
- Global Configurations
  In the Global Configurations section, configure the Configuration Name parameter.
- Input Configurations
  - Logtail Deployment Mode: The Logtail deployment mode. Select DaemonSet.
  - File Path Type: The type of the file path that you want to use to collect logs. Valid values: Path in Container and Host Path. If a hostPath volume is mounted to a container and you want to collect logs from files based on the mapped file path on the container host, set this parameter to Host Path. In other scenarios, set this parameter to Path in Container.
  - File Path: The directory used to store the logs that you want to collect. The file path must start with a forward slash (/). In this example, set the File Path parameter to /data/wwwlogs/main/**/*.Log, which indicates that logs are collected from files suffixed with .Log in the /data/wwwlogs/main directory. You can configure the Maximum Directory Monitoring Depth parameter to specify the maximum number of levels of the subdirectories that you want to monitor. The subdirectories are in the log file directory that you specify. This parameter specifies the levels of the subdirectories that the ** wildcard characters can match in the value of the File Path parameter. The value 0 specifies that only the specified log file directory is monitored.
Create indexes and preview data. By default, full-text indexing is enabled for Simple Log Service. In this case, full-text indexes are created. You can query all fields in logs based on the indexes. You can also manually create indexes for fields based on the collected logs. Alternatively, you can click Automatic Index Generation. Then, Simple Log Service generates indexes for fields. You can query data in an accurate manner based on field indexes. This reduces indexing costs and improves query efficiency. For more information, see Create indexes.

Step 3: Query and analyze logs

Log on to the Simple Log Service console.
In the Projects section, click the project you want to go to its details page.
In the left-side navigation pane, click the icon of the logstore you want. In the drop-down list, select Search & Analysis to view the logs that are collected from your Kubernetes cluster.

Default fields in container text logs

The following table describes the fields that are included by default in each container text log.

Field name	Description
__tag__:__hostname__	The name of the container host.
__tag__:__path__	The log file path in the container.
__tag__:_container_ip_	The IP address of the container.
__tag__:_image_name_	The name of the image that is used by the container.
__tag__:_pod_name_	The name of the pod.
__tag__:_namespace_	The namespace to which the pod belongs.
__tag__:_pod_uid_	The unique identifier (UID) of the pod.

References

Query and analyze logs.
Create a dashboard to monitor the status of systems, applications, and services.
Configure alert rules to automatically generate alerts for exceptions in logs.
Import historical logs from log files.
Troubleshoot collection errors: