After you install Logtail in DaemonSet mode in a container, you can use a custom resource definition (CRD) to create a Logtail configuration and use the Logtail configuration to collect container logs.
Prerequisites
Features
- Allows you to specify a log file path in a container. You do not need to manually map the log file path to a path on the host.
- Uses the container label whitelist to specify containers from which text logs are collected.
- Uses the container label blacklist to specify containers from which text logs are not collected.
- Uses the environment variable whitelist to specify containers from which text logs are collected.
- Uses the environment variable blacklist to specify containers from which text logs are not collected.
- Collects multi-line logs. For example, Logtail can collect Java stack logs.
- Automatically associates container metadata that needs to be uploaded together with the collected container text logs. The metadata includes container names, image names, pod names, namespaces, and environment variables.
- If a container runs in a Kubernetes cluster, Logtail also supports the following features:
- Uses Kubernetes namespaces, pod names, and container names to specify containers from which text logs are collected.
- Uses the Kubernetes label whitelist to specify containers from which text logs are collected.
- Uses the Kubernetes label blacklist to specify containers from which text logs are not collected.
- Automatically associates Kubernetes labels that need to be uploaded together with the collected container text logs.
Implementation

- The
kubectl
tool or other tools are used to apply an AliyunLogConfig CRD. - The alibaba-log-controller detects the update in CRD configurations.
- The alibaba-log-controller sends requests to Log Service to create a Logstore, create a Logtail configuration, and apply the Logtail configuration to a machine group based on the content of the CRD and the status of Logtail configurations in Log Service.
- Logtail periodically sends a request to Log Service to obtain a new or updated Logtail configuration and perform hot reloading.
- Logtail collects stdout and stderr as well as text logs from each container based on the obtained Logtail configuration.
- Logtail sends the collected container logs to Log Service.
Limits
- Limits on text log collection
- If Logtail detects the
die
event on a container that is stopped, Logtail no longer collects text logs from the container. If collection latency exists, some text logs that are collected before the container is stopped may be lost. - Logtail cannot access the symbolic link of a container. You must specify an actual path as the collection directory.
- If a volume is mounted to the data directory of a container, Logtail cannot collect
data from the parent directory of the data directory. You must specify the complete
path of the data directory as the collection directory.
For example, if a volume is mounted to the /var/log/service directory and you set the collection directory to /var/log, Logtail cannot collect logs from the /var/log directory. You must specify /var/log/service as the collection directory.
- By default, Kubernetes mounts the root directory of the host to the
/logtail_host
directory of the Logtail container. If you want to collect text logs from the host, you must specify/logtail_host
as the prefix of the log file path.For example, if you want to collect logs from the
/home/logs/app_log/
directory of the host, you must specify/logtail_host/home/logs/app_log/
as the log file path. - For Docker containers, only overlay and overlay2 storage drivers are supported. If
other storage drivers are used, you must mount a volume to the directory of logs.
Then, a temporary directory is generated.
If an Apsara File Storage NAS (NAS) file system is mounted to the directory of logs by using a PersistentVolumeClaim (PVC), you cannot collect logs in DaemonSet mode. In this case, we recommend that you collect logs in Sidecar mode.
- If Logtail detects the
- Limits on stdout and stderr collection
The logging driver collects stdout and stderr only in the JSON format from containers that use the Docker engine.
- General limits
Logtail collects data from containers that use the Docker engine or containerd engine.
- Docker: Logtail accesses the Docker engine in the /run/docker.sock directory. Make sure that the directory exists and Logtail has the permissions to access the directory.
- containerd: Logtail accesses the containerd engine in the /run/containerd/containerd.sock directory. Make sure that the directory exists and Logtail has the permissions to access the directory.
Create a Logtail configuration
To create a Logtail configuration, you need to only create an AliyunLogConfig CRD. After the Logtail configuration is created, the system automatically applies the Logtail configuration. If you want to delete the Logtail configuration, you need to only delete the CRD.
View Logtail configurations
View all Logtail configurations in the current Kubernetes cluster
kubectl get aliyunlogconfigs
command to view all Logtail configurations. The following figure shows the result.

View the details and status of a Logtail configuration
You can run the kubectl get aliyunlogconfigs config_name -o yaml
command to view the details and status of a Logtail configuration. The config_name parameter in the command specifies the name of the Logtail configuration that you
want to view. You can specify a name based on your business requirements. The following
figure shows the result.
- If the value of the statusCode parameter is 200, the Logtail configuration is applied.
- If the value of the statusCode parameter is not 200, the Logtail configuration fails to be applied.

Examples of Logtail configurations that are used to collect stdout and stderr
If you want to collect container stdout and stderr, you must set the inputType parameter to plugin
and add detailed settings to the plugin
field of the inputDetail
parameter. For more information about the parameters and the descriptions of the
parameters, see Use the Log Service console to collect container stdout and stderr in DaemonSet mode.
Example 1: Collect container stdout and stderr in simple mode
Collect stdout and stderr from all containers except the containers whose environment
variable configurations include COLLECT_STDOUT_FLAG=false
. To view the environment variables of a container, you can log on to the host on
which the container resides. For more information, see Obtain environment variables. CRD configuration example:
apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
# The name of the resource. The name must be unique in the current Kubernetes cluster.
name: simple-stdout-example
spec:
# The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore.
logstore: k8s-stdout
# The Logtail configuration.
logtailConfig:
# The type of the data source. If you want to collect stdout and stderr, you must set the value to plugin.
inputType: plugin
# The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name.
configName: simple-stdout-example
inputDetail:
plugin:
inputs:
-
# input type
type: service_docker_stdout
detail:
# The settings that allow Logtail to collect both stdout and stderr.
Stdout: true
Stderr: true
# The environment variable blacklist. In this example, stdout and stderr are collected from all containers except the containers whose environment variable configurations include COLLECT_STDOUT_FLAG=false.
ExcludeEnv:
COLLECT_STDOUT_FLAG: "false"
Example 2: Collect container stdout and stderr in simple mode and process the logs by using regular expressions
To view the environment variables of a container, you can log on to the host on which the container resides. For more information, see Obtain environment variables.
GF_INSTALL_PLUGINS=grafana-piechart-....
. To view the environment variables of a container, you can log on to the host on
which the container resides. For more information, see Obtain environment variables.
- CRD configuration
apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: regex-stdout-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-stdout-regex # The Logtail configuration. logtailConfig: # The type of the data source. If you want to collect stdout and stderr, you must set the value to plugin. inputType: plugin # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: regex-stdout-example inputDetail: plugin: inputs: - # input type type: service_docker_stdout detail: # The settings that allow Logtail to collect only stdout. Stdout: true Stderr: false # The environment variable whitelist. In this example, stdout is collected only from containers whose environment variable configurations include a key of GF_INSTALL_PLUGINS. IncludeEnv: GF_INSTALL_PLUGINS: '' processors: - # The settings that allow Logtail to parse the collected stdout by using a regular expression. type: processor_regex detail: # The name of the source field. By default, the collected stdout is stored in the content field. SourceKey: content # The regular expression that is used to extract log content. Regex: 't=(\d+-\d+-\w+:\d+:\d+\+\d+) lvl=(\w+) msg="([^"]+)" logger=(\w+) userId=(\w+) orgId=(\w+) uname=(\S*) method=(\w+) path=(\S+) status=(\d+) remote_addr=(\S+) time_ms=(\d+) size=(\d+) referer=(\S*).*' # The keys that you want to extract from logs. Keys: ['time', 'level', 'message', 'logger', 'userId', 'orgId', 'uname', 'method', 'path', 'status', 'remote_addr', 'time_ms', 'size', 'referer'] # The settings that allow Logtail to retain the source field. KeepSource: true # The settings that allow Logtail to report an error when the specified source field does not exist. NoKeyError: true # The settings that allow Logtail to report an error when the specified regular expression does not match the value of the specified source field. NoMatchError: true
- Raw log
t=2018-03-09T07:14:03+0000 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/ status=302 remote_addr=172.16.64.154 time_ms=0 size=29 referer=
- Parsed log
Example 3: Filter containers by using Kubernetes labels and collect stdout and stderr from the matched containers
- Obtain Kubernetes labels.
- Create a Logtail configuration.
The following code shows an example of a Logtail configuration. For more information, see Use the Log Service console to collect container stdout and stderr in DaemonSet mode.
apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: simple-stdout-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-stdout # The Logtail configuration. logtailConfig: # The type of the data source. If you want to collect stdout and stderr, you must set the value to plugin. inputType: plugin # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: k8s-stdout-example inputDetail: plugin: inputs: - # input type type: service_docker_stdout detail: # The settings that allow Logtail to collect both stdout and stderr. Stdout: true Stderr: true # The Kubernetes label whitelist. In this example, stdout and stderr are collected only from containers whose Kubernetes labels contain the job-name key and a specific value. The value starts with nginx-log-demo. IncludeK8sLabel: job-name: "^(nginx-log-demo.*)$"
Example 4: Filter containers by using Kubernetes namespaces, pod names, and container names and collect stdout and stderr from the matched containers
- Obtain different levels of Kubernetes information.
- Obtain information about pods.
- Obtain information about namespaces.
- Obtain information about pods.
- Create a Logtail configuration.
The following code shows an example of a Logtail configuration. For more information, see Use the Log Service console to collect container stdout and stderr in DaemonSet mode.
apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: simple-stdout-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-stdout # The Logtail configuration. logtailConfig: # The type of the data source. If you want to collect stdout and stderr, you must set the value to plugin. inputType: plugin # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: k8s-stdout-example inputDetail: plugin: inputs: - # input type type: service_docker_stdout detail: # The settings that allow Logtail to collect both stdout and stderr. Stdout: true Stderr: true K8sNamespaceRegex: ^(default)$ K8sPodRegex: '^(nginx-log-demo.*)$' K8sContainerRegex: ^(nginx-log-demo-0)$
Examples of Logtail configurations that are used to collect text logs
If you want to collect container text logs, you must set the inputType
parameter to file
and add detailed settings to the inputDetail
parameter. For more information about the parameters and the descriptions of the
parameters, see Use the Log Service console to collect container text logs in DaemonSet mode.
Example 1: Collect container text logs in simple mode
Collect text logs from containers whose environment variable configurations include
a key of ALIYUN_LOGTAIL_USER_DEFINED_ID
. The log file path is /data/logs/app_1/simple.LOG.
apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
# The name of the resource. The name must be unique in the current Kubernetes cluster.
name: simple-file-example
spec:
# The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore.
logstore: k8s-file
# The Logtail configuration.
logtailConfig:
# The type of the data source. If you want to collect text logs, you must set the value to file.
inputType: file
# The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name.
configName: simple-file-example
inputDetail:
# The settings that allow Logtail to collect text logs in simple mode.
logType: common_reg_log
# The log file path.
logPath: /data/logs/app_1
# The log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log.
filePattern: simple.LOG
# If you want to collect container text logs, you must set dockerFile to true.
dockerFile: true
# The environment variable whitelist. In this example, text logs are collected only from containers whose environment variable configurations include a key of ALIYUN_LOGTAIL_USER_DEFINED_ID
.
dockerIncludeEnv:
ALIYUN_LOGTAIL_USER_DEFINED_ID: ""
Example 2: Collect container text logs in full regex mode
A Java program generates a multi-line log that contains error stack information. You can collect the log in full regex mode and specify a regular expression that is used to match the beginning of the first line of the log in the Logtail configuration.
- Raw log
[2018-05-11T20:10:16,000] [INFO] [SessionTracker] [SessionTrackerImpl.java:148] Expiring sessions java.sql.SQLException: Incorrect string value: '\xF0\x9F\x8E\x8F",...' for column 'data' at row 1 at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:84) at org.springframework.jdbc.support.AbstractFallbackSQLException
- CRD configuration
apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: regex-file-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-file logtailConfig: # The type of the data source. If you want to collect text logs, you must set the value to file. inputType: file # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: regex-file-example inputDetail: # The settings that allow Logtail to collect text logs in full regex mode. logType: common_reg_log # The log file path. logPath: /app/logs # The log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log. filePattern: error.LOG # The regular expression that is used to match the beginning of the first line of a log. logBeginRegex: '\[\d+-\d+-\w+:\d+:\d+,\d+]\s\[\w+]\s.*' # The regular expression that is used to extract log content. regex: '\[([^]]+)]\s\[(\w+)]\s\[(\w+)]\s\[([^:]+):(\d+)]\s(.*)' # The keys that you want to extract from logs. key : ["time", "level", "method", "file", "line", "message"] # The format of the time values that are extracted from logs. When logs are collected in full regex mode, the time values are extracted from the time field of the logs by default. If you do not want to extract time values, you can leave this parameter empty. If you configure the timeFormat parameter, you must also configure the adjustTimezone and logTimezone parameters. timeFormat: '%Y-%m-%dT%H:%M:%S' # By default, Logtail uses UTC. You must configure the following parameter setting before you can forcefully change the time zone: adjustTimezone: true # The time zone offset. The time zone of logs is UTC+8. You can change the value of this parameter to change the time zone. logTimezone: "GMT+08:00" # The settings that allow Logtail to upload raw logs if the logs fail to be parsed. discardUnmatch: false # If you want to collect container text logs, you must set dockerFile to true. dockerFile: true # The environment variable whitelist. In this example, text logs are collected only from containers whose environment variable configurations include a key of ALIYUN_LOGTAIL_USER_DEFINED_ID. dockerIncludeEnv: ALIYUN_LOGTAIL_USER_DEFINED_ID: ""
- Collected log
Example 3: Collect container text logs in delimiter mode
If the container text logs that you want to collect contain delimiters, you can collect the container text logs in delimiter mode. Logs that are in the delimiter-separated values (DSV) format use line feeds as boundaries. Each log is placed in a separate line. Each log is parsed into multiple fields by using delimiters.
apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
# The name of the resource. The name must be unique in the current Kubernetes cluster.
name: delimiter-file-example
spec:
# The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore.
logstore: k8s-file
logtailConfig:
# The type of the data source. If you want to collect text logs, you must set the value to file.
inputType: file
configName: delimiter-file-example
# The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name.
inputDetail:
# The settings that allow Logtail to collect text logs in delimiter mode.
logType: delimiter_log
# The log file path.
logPath: /usr/local/ilogtail
# The log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log.
filePattern: delimiter_log.LOG
# The delimiters.
separator: '|&|'
# The keys that you want to extract from logs.
key : ['time', 'level', 'method', 'file', 'line', 'message']
# The name of the field from which time values are extracted.
timeKey: 'time'
# The format of the time values that are extracted from logs. When logs are collected in delimiter mode, the time values are extracted from the time field of the logs by default. If you do not want to extract time values, you can leave this parameter empty. If you configure the timeFormat parameter, you must also configure the adjustTimezone and logTimezone parameters.
timeFormat: '%Y-%m-%dT%H:%M:%S'
# By default, Logtail uses UTC. You must configure the following parameter setting before you can forcefully change the time zone:
adjustTimezone: true
# The time zone offset. The time zone of logs is UTC+8. You can change the value of this parameter to change the time zone.
logTimezone: "GMT+08:00"
# The settings that allow Logtail to upload raw logs if the logs fail to be parsed.
discardUnmatch: false
# If you want to collect container text logs, you must set dockerFile to true.
dockerFile: true
# The environment variable whitelist. In this example, text logs are collected only from containers whose environment variable configurations include a key of ALIYUN_LOGTAIL_USER_DEFINED_ID.
dockerIncludeEnv:
ALIYUN_LOGTAIL_USER_DEFINED_ID: ''
Example 4: Collect container text logs in JSON mode
If the container text logs that you want to collect are JSON logs of the object type, you can collect the container text logs in JSON mode.
- Raw log
{"url": "POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek********&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1", "ip": "10.200.98.220", "user-agent": "aliyun-sdk-java", "request": {"status": "200", "latency": "18204"}, "time": "05/Jan/2020:13:30:28"}
- CRD configuration
apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: json-file-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-file logtailConfig: # The type of the data source. If you want to collect text logs, you must set the value to file. inputType: file # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: json-file-example inputDetail: # The settings that allow Logtail to collect text logs in JSON mode. logType: json_log # The log file path. logPath: /usr/local/ilogtail # The log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log. filePattern: json_log.LOG # The name of the field from which time values are extracted. If no requirements are specified, use the timeKey: '' setting. timeKey: 'time' # The format of the time values that are extracted from logs. If no requirements are specified, use the timeFormat: '' setting. timeFormat: '%Y-%m-%dT%H:%M:%S' # If you want to collect container text logs, you must set dockerFile to true. dockerFile: true # The environment variable whitelist. In this example, text logs are collected only from containers whose environment variable configurations include a key of ALIYUN_LOGTAIL_USER_DEFINED_ID. dockerIncludeEnv: ALIYUN_LOGTAIL_USER_DEFINED_ID: ""
Example 5: Filter containers by using Kubernetes information and collect container text logs from the matched containers
- The containers belong to the default namespace.
- The containers belong to the pods whose name starts with nginx-log-demo.
- The containers are named nginx-log-demo-0.
- The containers have Kubernetes labels that contain the job-name key and a specific value. The value starts with nginx-log-demo.
- Obtain different levels of Kubernetes information.
- Obtain information about pods.
- Obtain information about namespaces.
- Obtain Kubernetes labels.
- Obtain information about pods.
- Create a Logtail configuration.
The following code shows an example of a Logtail configuration. For more information, see Use the Log Service console to collect container stdout and stderr in DaemonSet mode.
Note You must configure Kubernetes-related parameters in the k8s parameter below advanced. The Kubernetes-related parameters include IncludeK8sLabel, ExcludeK8sLabel, K8sNamespaceRegex, K8sPodRegex, K8sContainerRegex, ExternalEnvTag, and ExternalK8sLabelTag. For more information, see Use the Log Service console to collect container stdout and stderr in DaemonSet mode.apiVersion: log.alibabacloud.com/v1alpha1 kind: AliyunLogConfig metadata: # The name of the resource. The name must be unique in the current Kubernetes cluster. name: simple-file-example spec: # The name of the Logstore. If the Logstore that you specify does not exist, Log Service automatically creates a Logstore. logstore: k8s-file # The Logtail configuration. logtailConfig: # The type of the data source. If you want to collect text logs, you must set the value to file. inputType: file # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name. configName: simple-file-example inputDetail: # The settings that allow Logtail to collect text logs in simple mode. logType: common_reg_log # The log file path. logPath: /data/logs/app_1 # The log file name. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log. filePattern: simple.LOG # If you want to collect container text logs, you must set dockerFile to true. dockerFile: true # The conditions that are used to filter containers. advanced: k8s: K8sNamespaceRegex: ^(default)$ K8sPodRegex: '^(nginx-log-demo.*)$' K8sContainerRegex: ^(nginx-log-demo-0)$ IncludeK8sLabel: job-name: "^(nginx-log-demo.*)$"