All Products
Search
Document Center

Microservices Engine:Report MSE traffic protection events to SLS

Last Updated:Jun 21, 2026

The MSE traffic protection feature detects abnormal traffic and attacks. You can report these events to Simple Log Service (SLS) for real-time monitoring, analysis, and security responses. This topic describes how to report events triggered by the traffic protection feature of MSE Microservices Governance to SLS. These events are collected from the sentinel-block.log file.

Prerequisites

Enable Logtail

If you enabled Simple Log Service when you created your ACK cluster, you can skip this section. Otherwise, follow these steps to enable Logtail. For more information, see Install Logtail when you create a cluster.

Note

This operation applies only to ACK dedicated clusters and ACK managed clusters.

  1. Log on to the ACK console. In the left navigation pane, click Clusters.

  2. On the Clusters page, click the name of your cluster. In the left navigation pane, click Components and Add-ons.

  3. On the Logs and Monitoring tab, find logtail-ds and click Install.

Import data

Configure a data source in SLS to collect, parse, and report Sentinel log records. For more information about the file format to be collected, see Data sources and parsing formats.

  1. Log on to the Simple Log Service console.

  2. Click Quick Data Import. In the Import Data dialog box, enter Kubernetes in the search box, and then click Kubernetes - File.

  3. In the Select Logstore step, select a Project and a Logstore, and then click Next.

    Select the Project named k8s-log-{your_k8s_cluster_id} or another Project. For the Logstore, you can select an existing one or create one. For more information, see Create a Logstore.

  4. In the Machine Group Configuration step, select the target Machine Group (k8s-group-${your_k8s_cluster_id}). Move this machine group from the Source Machine Group list to the Applied Machine Group list, and then click Next.

    If you select another Project, create a Machine Group as prompted on the page.

  5. In the Logtail Configuration step, set the data source and parsing format. Complete the configuration, and then click Next.

    Parameter

    Description

    Config name

    Enter a name for the configuration.

    File Path

    • Logs are collected from the fixed path /${user_home}/logs/csp/sentinel-block.log. Replace ${user_home} with the system home directory, which is typically root.

    • For the specific path, see Important logs.

    Log Sample

    Enter the following content as a sample:

    2024-08-28 06:53:14|1|/flow,FlowException,default,,32808,1724827994000|37,0,0

    Processing Method

    Use a processor plugin combination, and add a Data Parsing (Regex Mode) plugin. Configure the key parameters as shown in the example and set other parameters as needed.

    Regular expression

    (\d+-\d+-\d+\s\d+:\d+:\d+)\|1\|([\s\S]*),([a-zA-Z]+),([a-zA-Z]+),([\s\S]*),(\d+),(\d+)\|(\d+),0,(\d+)

    Set Source Field to content. Click Validate. Nine fields are extracted: time, resource, expType, limitApp, origin, ruleId, timestamp, blockNum, and n. Then, select the Keep original fields on parsing failure checkbox.

  6. In the Query and Analysis Configurations step, wait for Automatic Refresh next to Preview Data to complete. Add and modify some index fields, and then click Next.

    Field

    Type

    Alias

    __tag__:_namespace_

    text

    namespace

    __tag__:container_name_

    text

    appName

    ruleId

    long

    Not required

    resource

    text

    time

    text

    expType

    text

    blockNum

    double

  7. Click Query Log to return to the Project.

Verify event reporting

  1. Log on to the Simple Log Service console.

  2. In the specified Project, you can view the monitoring metrics reported to the new Logstore in SLS.

    __tag__:__user_defined_id__: k8s-group-c7ebc423cebdd43c494daf02xxx
    __tag__:_cluster_id_: c7ebc423cebdd43c494daf02
    __tag__:_container_ip_: 10.7.xxx
    __tag__:_container_name_: spring-cloud-b
    __tag__:_image_name_: registry.cn-hangzhou.aliyuncs.com/mse-demo-hz/spring-cloud-b:3.0.1-fallback-test
    __tag__:_namespace_: mse-demo
    __tag__:_node_ip_: 10.7xxx
    __tag__:_node_name_: cn-hangzhou.10.7.xxx
    __tag__:_pod_name_: spring-cloud-b-54b48d6f6c-xxx
    __tag__:_pod_uid_: bcd0f5bd-3b4c-48d7-99c7-aefxxx
    blockNum: 71
    expType: FlowException
    limitApp: default
    n: 0
    origin: dubbo-provider-A
    resource: com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String)
    ruleId: 855
    time: 2023-09-15 03:46:22
    timestamp: 1694749582000

FAQ

Why are no logs displayed in the SLS console?

Log on to the Container Service for Kubernetes console and click the target cluster. On the Cluster information page, click Open Cloud Shell. Run the following commands to verify:

cd ~/logs/csp/ # Replace this with the actual log path.
tail -n 10 sentinel-block.log

The expected result is as follows, which indicates that throttling logs have been generated. If the corresponding logs are not generated, check whether the Prerequisites are configured correctly. Pay special attention to whether the traffic protection rules in the MSE console are configured correctly and whether traffic throttling has occurred.

2023-09-14 08:51:04|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681464000|63,0
2023-09-14 08:51:05|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681465000|78,0
2023-09-14 08:51:06|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681466000|75,0
2023-09-14 08:51:07|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681467000|64,0
2023-09-14 08:51:08|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681468000|84,0
2023-09-14 08:51:09|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681469000|75,0
2023-09-14 08:51:10|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681470000|76,0
2023-09-14 08:51:11|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681471000|71,0
2023-09-14 08:51:12|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681472000|61,0
2023-09-14 08:51:13|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681473000|64,0
2023-09-14 08:51:14|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681474000|64,0
2023-09-14 08:51:15|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681475000|76,0
2023-09-14 08:51:16|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681476000|79,0
2023-09-14 08:51:17|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681477000|66,0
2023-09-14 08:51:18|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681478000|80,0
2s023-09-14 08:51:19|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681479000|65,0
2023-09-14 08:51:20|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681480000|79,0
2023-09-14 08:51:21|1|com.alibabacloud.mse.demo.b.service.HelloServiceB:hello(java.lang.String),FlowException,default,dubbo-provider-A,855,1694681481000|75,0
...

Related documents

SLS-based traffic protection alerts