All Products
Search

This Product

    Alibaba Cloud Service Mesh:Enable control-plane log collection and alerting

    Document Center

    Alibaba Cloud Service Mesh:Enable control-plane log collection and alerting

    Last Updated:Mar 10, 2026

    When your service mesh encounters configuration errors, certificate issues, or data-plane synchronization failures, control-plane logs are the primary source for diagnosis. Service Mesh (ASM) Log Center allows you to view control-plane logs and data-plane logs in the ASM console. After you enable log collection, you can use Log Center to view control-plane logs, configure log-based alert rules, and view data-plane logs and related dashboards. This topic describes how to enable control-plane log collection and log-based alerting.

    Note

    This topic applies to ASM instances of version 1.17.2.35 or later. For earlier versions, see Enable control-plane log collection and log-based alerting in an ASM instance of a version earlier than 1.17.2.35.

    Prerequisites

    Before you begin, make sure that you have:

    Important

    ASM does not charge for log collection. However, Simple Log Service bills separately in pay-by-feature or pay-by-ingested-data mode. For details, see Billing overview.

    Enable control-plane log collection

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Log Center.

    3. On the Log Center page, click the Control-Plane Logs tab. Select New project or Use existed project, configure the parameters, and then click Enable Control-Plane Log Collection.

    4. In the Submit confirmation dialog, click OK.

    After log collection is enabled:

    Note

    To disable this feature, click Disable Control-Plane Log Collection in the upper-right corner of the Control-Plane Logs tab, and then click OK to confirm.

    View control-plane logs

    After you enable log collection, control-plane component logs stream into Simple Log Service. View them in the ASM console or the Simple Log Service console.

    Note

    Logs may not appear immediately after you enable collection. The system needs a short time to set up the log distribution task.

    View logs in the ASM console

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Log Center.

    3. On the Log Center page, click the Control-Plane Logs tab to view log information.

    View logs in the Simple Log Service console

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the name of the Simple Log Service project used for your cluster.

    3. On the Logstores page, click the desired Logstore to view log information.

    Configure log-based alerting

    Set up alert rules to get notified about control-plane issues such as configuration push failures, configuration risks, and certificate expiration.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Log Center.

    3. On the Log Center page, click the Control-Plane Logs tab. In the upper-left corner, click Alert Setting.

    4. In the Control-Plane Alert Setting dialog box, find the alert policy you want, select an action policy, and click Enable Alert. In the Note message, click OK.

    An action policy defines how notifications are sent when an alert fires. Two types are available:

    Action policy typeDescription
    ASM Built-in Action StrategyA default policy with no notification channels preconfigured. Click the Settings icon icon to open the Simple Log Service alert center and configure a notification channel.
    Custom action strategyA policy you define with your own notification channels.

    Add alert contacts

    You can configure built-in action policies for gateways, alert contacts, and notification templates in Simple Log Service.

    1. Log on to the Simple Log Service console.

    2. In the Projects section, click the name of the desired project. In the left-side navigation pane, click Alerts.

    3. On the Alert Center page, choose Notification Objects > User Group Management.

    4. On the User Group Management tab, find sls.app.asm.builtin and click Edit in the Actions column.

    5. In the Edit User Group dialog box, select the members to add, click the 添加 icon to add them to the user group, and then click OK.

      修改用户组

    Verify alert notification settings

    Trigger a test alert to confirm that notifications are delivered correctly.

    Note

    This example triggers only one alert type. For related error messages, see Configuration push failure alerts.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Gateway. On the page that appears, click Create from YAML.

    3. On the Create page, select a namespace and a template, paste the following YAML, and click Create. This example deploys an Istio gateway in the default namespace with a non-existent TLS credential to intentionally trigger an error:

      apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gateway-test
  namespace: default
spec:
  selector:
    istio: ingressgateway
  servers:
    - hosts:
        - '*console.aliyun.com'
      port:
        name: https
        number: 443
        protocol: HTTPS
      tls:
        credentialName: not-existing-credential
        mode: SIMPLE

    4. Check the alert in the ASM console:

      1. In the left-side navigation pane, choose Observability Management Center > Log Center.

      2. On the Control-Plane Logs tab, search for ACK ERROR to view the alert information.

    If you configured email notifications, check your inbox for the alert email.

    Troubleshoot alerts

    Potential configuration risk alerts

    ASM raises these alerts when it detects configurations that may produce unexpected results. Check the Mesh Diagnosis page and follow the instructions to correct the configurations. See Diagnose ASM instances.

    Incorrect configuration alerts

    ASM raises these alerts when it detects configurations likely to cause unexpected behavior. Check the Mesh Diagnosis page and correct the configurations promptly. See Diagnose ASM instances.

    Configuration push failure alerts

    The following table lists common errors when the control plane fails to push configurations to the data plane. If your error is not listed, submit a ticket.

    Error messageFix
    Internal:Error adding/updating listener(s) 0.0.0.0_443: Failed to load certificate chain from <inline>, only P-256 ECDSA certificates are supportedThe data-plane cluster does not support the configured certificate. Replace it with a P-256 ECDSA certificate. See Use an ingress gateway to enable HTTPS.
    Internal:Error adding/updating listener(s) 0.0.0.0_443: Invalid path: ****The certificate path is invalid or the certificate does not exist. Verify that the certificate mount path matches the path in the gateway configuration. See Use an ingress gateway to enable HTTPS.
    Internal:Error adding/updating listener(s) 0.0.0.0_xx: duplicate listener 0.0.0.0_xx foundThe gateway has duplicate listening ports. Remove the duplicate port from the gateway configuration.
    Internal:Error adding/updating listener(s) 192.168.33.189_15021: Didn't find a registered implementation for name: '***'The name *** referenced based on the 15021 listener patch by using EnvoyFilter cannot be found in sidecar proxies or ingress gateway services. Remove the invalid reference.
    Internal:Error adding/updating listener(s) 0.0.0.0_80: V2 (and AUTO) xDS transport protocol versions are deprecated in grpc_service ***The xDS v2 protocol on the data plane will be deprecated soon. This is usually because the version of sidecar proxies on the data plane does not match that on the control plane. Delete existing pods to trigger re-creation. Sidecar proxies of the latest version are automatically injected into the recreated pods.

    Certificate expiration alerts

    Alert policyAction
    Certificate Management has an expired certificate, which may cause the gateway to fail to process TLS traffic.Replace the expired certificate immediately to restore TLS traffic processing on the gateway.
    Certificate Management has a certificate that is about to expire. Please update the certificate in time.Renew or replace the certificate before it expires to avoid TLS traffic disruption.

    Change the control-plane log project

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Log Center.

    3. On the Control-Plane Logs tab, click Change Log Project. In the Change Log Project dialog box, update the settings and click Submit.