Logtail legacy log collection agent - Simple Log Service - Simple Log Service

Collection process

Monitor logs

After you install Logtail on servers and create a Logtail configuration in the Simple Log Service console, the configuration is delivered to servers in real time. Logtail then monitors log files by scanning directories based on the configured log file path and maximum directory monitoring depth.

Log files not updated after a Logtail configuration is applied are considered historical and are not collected. Updated files are read and sent to Simple Log Service. For more information about collecting historical log files, see Import historical logs from log files.

Logtail registers event listeners that poll log directories at regular intervals for timely collection. On Linux, Inotify monitors directories and polls log files.

Read logs

After detecting updated log files, Logtail reads data in the log files.

On first read, Logtail reads up to 1,024 KB by default.
- If the file is smaller than 1,024 KB, Logtail reads from the beginning.
- If the file is larger than 1,024 KB, Logtail reads the last 1,024 KB.
Note
The initial read size is configurable.
- Console: Modify First Collection Size in the Logtail Config page. Advanced settings.
- API: Modify tail_size_kb in the Logtail configuration. advanced.
If a log file was previously read, Logtail resumes from the last checkpoint.
Logtail reads up to 512 KB per read. Each log entry must not exceed 512 KB.

Note

Restart Logtail after changing the server system time. Otherwise, log timestamps become incorrect and logs may be dropped.

Process logs

Logtail splits each log into lines, parses the content, and sets the time field.

Split a log into multiple lines

Logtail splits logs into multiple lines based on a first-line regex you specify. Without a regex, each line is treated as a separate log.
Parse logs

Logtail parses each log based on the collection mode specified in the Logtail configuration.

Note
Complex regular expressions can cause high CPU usage. Use efficient expressions to minimize resource consumption.
If Logtail fails to parse a log, it handles the failure based on the Drop Failed to Parse Logs setting.
- If Drop Failed to Parse Logs is enabled, Logtail drops the log and reports an error.
- If Drop Failed to Parse Logs is disabled, Logtail uploads the log with the key raw_log and the value set to the log content.
Configure the time field for a log
- If you do not configure the time field, the log time defaults to the parse time.
- If you configure the time field, processing depends on the time difference:
  - Within 12 hours: the log time is extracted from the parsed log fields.
  - Beyond 12 hours: the log is dropped and an error is reported.

Filter logs

After processing, Logtail filters logs based on the specified conditions.

If no conditions are set in Filter Configuration, logs are not filtered.
If conditions are set in Filter Configuration, each log's fields are evaluated.

Only logs that match the filter conditions are collected.

Aggregate logs

To reduce network requests, Logtail caches processed and filtered logs and sends them in batches when any of the following thresholds is reached:

The aggregation duration exceeds 3 seconds.
The number of aggregated logs exceeds 4,000.
The total size of aggregated logs exceeds 512 KB.

Send logs

Logtail sends aggregated logs to Simple Log Service. On failure, Logtail retries or drops the packet based on the HTTP status code.

HTTP status code	Description	Logtail behavior
401	The account lacks data collection permissions. Grant the required permissions. For more information, see Configure the permission assistant.	Drops the log packet.
404	The project or Logstore in the Logtail configuration does not exist.	Drops the log packet.
403	The shard quota is exhausted.	Retries after 3 seconds.
500	A server exception occurs.	Retries after 3 seconds.

Note

To adjust the data transmission rate and maximum concurrent connections, modify max_bytes_per_sec and send_request_concurrency in the Logtail startup configuration file. For more information, see Configure the startup parameters of Logtail.

Benefits

Non-intrusive file-based collection. No code changes required, and collection does not affect application performance.
Collects text logs, binary logs, HTTP logs, and container logs.
Collects logs from container clusters such as Docker and Kubernetes.
Handles collection exceptions automatically. On network or server failures, Logtail retries and caches data locally.
Centralized management through Simple Log Service. Install Logtail, create a machine group and configuration, and collection starts automatically.
Built-in resource protection. Simple Log Service enforces strict CPU, memory, and network limits to prevent Logtail from affecting other services on the server.

Configuration process

Install Logtail.
Create a machine group.

Create an IP address-based machine group or a custom identifier-based machine group for a Simple Log Service project.
Create a Logtail configuration.

Use the Simple Log Service console to collect text logs or collect container logs.

After setup, Logtail collects logs from your servers and sends them to the specified Logstore. Query logs through the Simple Log Service console, API, SDK, or CLI.

Terms

Machine group: A group of one or more servers that collect the same type of logs. When a Logtail configuration is applied, Simple Log Service collects logs from all servers in the group.

Define machine groups by IP address or custom identifier. Manage them in the Simple Log Service console. Overview.
Logtail: The log collection agent provided by Simple Log Service, running on each server from which logs are collected.
- Linux: Logtail is installed in /usr/local/ilogtail and runs two processes (collector and daemon) starting with ilogtail. Operational logs are stored in /usr/local/ilogtail/ilogtail.LOG. For more information, see Install Logtail on a Linux server.
- Windows:
  - Logtail (32-bit)
    - 32-bit Windows: C:\Program Files\Alibaba\Logtail.
    - 64-bit Windows: C:\Program Files (x86)\Alibaba\Logtail.
      
      Note
      64-bit Windows stores 32-bit applications in a separate x86 directory for compatibility.
  - Logtail (64-bit)
    
    64-bit Logtail is supported only on 64-bit Windows. Installation directory: C:\Program Files\Alibaba\Logtail.
  To check Logtail status, go to Control Panel > Administrative Tools > Services. For V1.0.0.0 or later, check the LogtailDaemon service. For V0.x.x.x, check the LogtailWorker service. Operational logs are in ilogtail.LOG in the installation directory. For more information, see Install Logtail on a Windows server.
Logtail configurations: Policies that define how Logtail collects and parses logs. Each configuration specifies the data source, collection mode, and target Logstore.

Basic features

Feature	Description
Real-time log collection	Logtail monitors log files and reads incremental logs in real time. Logs typically reach Simple Log Service within 3 seconds of generation. For more information, see Collection process. Note Logtail does not collect historical logs. Logs read 12 hours or later after generation are discarded. For more information about collecting historical log files, see Import historical logs from log files.
Automatic log rotation	Applications rotate log files by size or date, renaming original files (e.g., app.LOG.1, app.LOG.2) and creating new ones for app.LOG. Specify the target file for collection, such as app.LOG. Logtail monitors rotation automatically and ensures no logs are lost.
Support for multiple data sources	Logtail collects text logs, syslogs, HTTP logs, and MySQL binary logs. For more information, see Data collection.
Compatibility with an open-source collection agent	Logtail ingests data from open-source collectors such as Logstash and Beats. For more information, see Data collection.
Automatic handling of collection exceptions	On transmission failure (Simple Log Service errors, network errors, or quota exhaustion), Logtail retries automatically. If the retry fails, data is cached locally and resent after 3 seconds. For more information, see Self-service diagnostic tool of Logtail.
Flexible collection configuration	Logtail configurations support flexible collection. Specify directories and files using exact or wildcard match, configure the collection mode, and use regular expressions for field extraction. Simple Log Service requires a precise timestamp for each log. Logtail supports custom time formats to extract timestamps from various log formats.
Automatic synchronization of Logtail configurations	After you create or update a Logtail configuration in the console, Logtail applies it within 3 minutes in most cases. No logs are lost during updates.
Status monitoring	Logtail monitors CPU and memory usage in real time to prevent resource overconsumption. If resource limits are exceeded, Logtail restarts automatically. If bandwidth limits are exceeded, throttling is triggered. For more information, see Startup configuration file (ilogtail_config.json).
Transmission of signed data	Logtail obtains a private token from Simple Log Service over a trusted channel and signs all outgoing log packets to prevent tampering. Note Logtail retrieves the token over HTTPS.

Data collection reliability

Logtail periodically saves checkpoints locally. After an unexpected shutdown or crash, it resumes from the last checkpoint to minimize data loss. If resource usage exceeds configured limits for more than 5 minutes, Logtail is forcefully restarted, which may cause duplicate collection.

Despite these mechanisms, logs may be lost in these scenarios:

Logtail is not running, but log files are rotated multiple times.
Log files rotate extremely fast, such as once per second.
The collection rate is lower than the generation rate for an extended period.

Simple Log Service:Logtail (legacy)