Centralize ECI Logs with Logtail Sidecar Container - ACK Serverless

ACK Serverless runs workloads on Elastic Container Instance (ECI), where pods have no underlying node to host a shared DaemonSet log agent. To collect logs from these pods, you can run a Logtail sidecar container alongside the application container within the same ECI instance. The sidecar shares a volume with the application container and pushes logs directly to Simple Log Service (SLS).

Prerequisites

Before you begin, ensure that you have:

An ACK Serverless cluster. For details, see Create a cluster.
Simple Log Service activated. To activate it, log on to the Simple Log Service console and follow the on-screen instructions.

How it works

The Logtail sidecar runs as an independent log agent inside each ECI instance. It shares a log folder with the application container through a Kubernetes volume. The application container writes logs to that folder, and Logtail monitors and collects the log files, then sends them to SLS.

Two log types are supported:

Log type	Mechanism	When to use
Standard output	Relies on the ECI `stdlog` volume. ECI base components convert the container's stdout into log files under the volume mount path. Mount the `stdlog` volume to the Logtail sidecar so Logtail can read those files.	The application writes to stdout/stderr and you want Logtail to collect it as files.
Text files	Uses an `emptyDir` shared volume. Both the application container and the Logtail sidecar mount the same volume. The application writes log files to the volume; Logtail reads them directly.	The application writes structured logs to a file path (for example, `/var/log/nginx/access.log`).

Step 1: Deploy the sidecar container

Create a Deployment that includes both the application container and the Logtail sidecar container.

The sample YAML below uses an nginx log generator as the application container and mounts both volume types. Replace the placeholder values before applying.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: nginx-log-sidecar-demo
  name: nginx-log-sidecar-demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx-log-sidecar-demo
  template:
    metadata:
      labels:
        app: nginx-log-sidecar-demo
    spec:
      containers:
        - name: nginx-log-demo
          image: registry-vpc.${RegionId}.aliyuncs.com/log-service/docker-log-test:latest
          command:
            - /bin/mock_log
          args:
            - '--log-type=nginx'
            - '--stdout=false'
            - '--stderr=true'
            - '--path=/var/log/nginx/access.log'
            - '--total-count=100000000'
            - '--logs-per-sec=100'
          imagePullPolicy: Always
          volumeMounts:
            - mountPath: /var/log/nginx
              name: nginx-log           # Text file logs: shared emptyDir volume
        - name: logtail
          image: registry-vpc.${RegionId}.aliyuncs.com/log-service/logtail:latest
          env:
            - name: ALIYUN_LOGTAIL_USER_ID
              value: "${Aliuid}"
            - name: ALIYUN_LOGTAIL_USER_DEFINED_ID
              value: nginx-log-sidecar
            - name: ALIYUN_LOGTAIL_CONFIG
              value: /etc/ilogtail/conf/${RegionId}/ilogtail_config.json
            - name: aliyun_logs_machinegroup
              value: k8s-group-app-alpine
          imagePullPolicy: Always
          volumeMounts:
            - mountPath: /var/log/nginx
              name: nginx-log           # Text file logs: same emptyDir volume as the app container
            - mountPath: /stdlog
              name: stdlog             # Standard output logs: ECI stdlog volume
      volumes:
        - emptyDir: {}
          name: nginx-log              # Shared volume for text file logs
        - name: stdlog                 # ECI stdlog volume for standard output logs
          flexVolume:
            driver: alicloud/pod-stdlog

Replace the following placeholders before applying the YAML:

Placeholder	Description	Example
`${RegionId}`	The region ID of your ACK Serverless cluster	`cn-hangzhou`
`${Aliuid}`	Your Alibaba Cloud account UID	`1234567890123456`

After applying the YAML, verify that all containers are running:

kubectl get pods -l app=nginx-log-sidecar-demo

Expected output — both containers in each pod should show 2/2 Running:

NAME                                      READY   STATUS    RESTARTS   AGE
nginx-log-sidecar-demo-84587d9796-krn5z   2/2     Running   0          32m
nginx-log-sidecar-demo-84587d9796-vhnld   2/2     Running   0          32m

If a pod shows 1/2, one container has not started. Run kubectl describe pod <pod-name> to check the events and identify which container failed.

You can also view the logs using kubectl commands or in the Elastic Container Instance console:

View logs using kubectl commands
View logs in the Elastic Container Instance console

Step 2: Configure Logtail to collect logs

Create a Logtail configuration in the Simple Log Service console to collect the logs from the sidecar.

Log on to the Simple Log Service console.
On the right side of the console, click the Quick Data Import card. In the Import Data dialog box, click Regular Expression - Text Logs.
Select a Project and a Logstore, then click Next. If you do not have a Project or Logstore, click Create Now.

SLS automatically creates a Project named k8s-log-{K8s-Cluster-ID} for each Kubernetes cluster.
Configure the machine group and click Next.
- Scenario: Select Kubernetes Clusters.
- Deployment Method: Select Sidecar.
- Select Machine Group: In the Source Machine Group area, select the target machine group and move it to the Applied Server Groups area. If no machine group is available, click Create Machine Group.

Configure Logtail and click Next. Logtail supports collecting text logs in modes including simple single-line, regex, separator, and JSON. For details, see Collect logs from hosts. Use the following settings based on the log type you want to collect: Standard output The log path is the mount path of the stdlog volume in the Logtail sidecar container (/stdlog). To add a processing plug-in, see Process data during collection (processing plug-ins). Text files The log path is the mount path of the shared emptyDir volume in the Logtail sidecar container. To add a processing plug-in, see Process data during collection (processing plug-ins).

Configuration section	Parameter	Value
Global Configurations	Configuration Name	`stdout`
Input Configurations	Logtail Deployment Mode	`Text Log Collection`
	File Path	`/stdlog/*/.log`
Processor Configurations	Processing Method	`None`

Configuration section	Parameter	Value
Global Configurations	Configuration Name	`file`
Input Configurations	Logtail Deployment Mode	`Text Log Collection`
	File Path	`/var/log/nginx/*/.log`
Processor Configurations	Processing Method	`None`

Configure query and analysis settings. Indexes are configured by default. To reconfigure them, see Configure indexes.
Verify that SLS is collecting your logs. After completing the configuration, SLS starts collecting ECI logs. If no logs appear after a few minutes, check that:
- The Logtail container is running (READY 2/2 in the pod).
- The file path in the Logtail configuration matches the actual volume mount path in the pod spec.
- The machine group in the Logtail configuration matches the aliyun_logs_machinegroup value set in the Logtail container's environment variables.