Collect standard output from self-managed K8s clusters (Logtail deployed in DaemonSet mode) - Simple Log Service

Simple Log Service provides two methods to deploy Logtail for collecting logs from Kubernetes clusters: DaemonSet and Sidecar. For the differences between these two methods, see Logtail installation and collection guide for Kubernetes clusters. This topic describes how to deploy Logtail in DaemonSet mode to collect standard output from self-managed Kubernetes clusters.

Prerequisites

Simple Log Service is activated. For more information, see Activate Simple Log Service.
A cluster of Kubernetes 1.6 or later is available.
The kubectl command-line tool is installed in the Kubernetes cluster.

Considerations

If you want to collect text logs from a cluster, see Collect text logs from Kubernetes clusters (DaemonSet).
If your cluster is an Alibaba Cloud Container Service for Kubernetes (ACK) cluster, see Collect standard output from ACK clusters - old version (DaemonSet).

Solution overview

When you deploy Logtail in DaemonSet mode to collect standard output from Kubernetes clusters, you need to perform the following steps:

Install Logtail components: Install Logtail components in your Kubernetes cluster. The Logtail components include DaemonSet logtail-ds, ConfigMap alibaba-log-configuration, and Deployment alibaba-log-controller. After Logtail is installed, Simple Log Service can deliver a Logtail configuration to Logtail and use Logtail to collect logs from the Kubernetes cluster.
Create a Logtail configuration: After a Logtail configuration is created, Logtail collects incremental logs based on the Logtail configuration, processes and uploads the collected logs to the created Logstore. This topic describes three methods that you can use to create a Logtail configuration: CRD-AliyunPipelineConfig (recommended), CRD-AliyunLogConfig, and the Simple Log Service console.
Query and analyze logs: After a Logtail configuration is created, Simple Log Service automatically creates a Logstore to store the collected logs. You can view the logs in the Logstore.

Step 1: Install Logtail

Important

The alibaba-log-controller component is available only in Kubernetes 1.6 and later.
Make sure that the kubectl command-line tool is installed on the machine on which you want to run the commands.

Log on to the Simple Log Service console and create a project. For more information, see Manage projects.
We recommend that you create a project whose name starts with k8s-log-, for example, k8s-log-${your_k8s_cluster_id}.

Log on to your Kubernetes cluster and run the following commands to install Logtail and other dependent components:

Download and decompress the installation package:

Regions in China

wget https://logtail-release-cn-hangzhou.oss-cn-hangzhou.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Regions outside China

wget https://logtail-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Modify the configuration file ./alibaba-cloud-log-all/values.yaml.

# ===================== Required parameters =====================
# The name of the project.
SlsProjectName: 
# The region where the project resides.
Region: 
# The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks ("").
AliUid: "11**99"
# The AccessKey ID and AccessKey secret of the Alibaba Cloud account or Resource Access Management (RAM) user. The RAM user must have the AliyunLogFullAccess permission.
AccessKeyID: 
AccessKeySercret: 
# The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-).
ClusterID: 
# ==========================================================
# Specifies whether to enable metric collection for the related components. Valid values: true and false. Default value: true.
SlsMonitoring: true
# The network type. Valid values: Internet and Intranet. Default value: Internet.
Net: Internet
# Specifies whether the container runtime of the cluster is containerd. Valid values: true and false. Default value: false.
SLS_CONTAINERD_USED: true

The following table describes the parameters that are included in the preceding command. You can configure the parameters based on your business requirements.

Parameter	Description
`SlsProjectName`	The name of the created project.
`Region`	The ID of the region where your project resides. For example, the ID of the China (Hangzhou) region is `cn-hangzhou`. For more information, see Regions.
`AliUid`	The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks (""), for example, `AliUid: "11**99"`. For more information about how to obtain the ID, see Obtain the ID of the Alibaba Cloud account to which Simple Log Service belongs.
`AccessKeyID`	The AccessKey ID of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user.
`AccessKeySercret`	The AccessKey secret of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user.
`ClusterID`	The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-). This parameter corresponds to the `${your_k8s_cluster_id}` parameter in subsequent operations. Important Do not specify the same cluster ID for different Kubernetes clusters.
`SlsMonitoring`	Specifies whether to enable metric collection for the related components. Valid values: true (default): enables metric collection. false: disables metric collection.
`Net`	The network type. Valid values: Internet (default): public network. Intranet: internal network.
`SLS_CONTAINERD_USED`	Specifies whether the container runtime of the cluster is containerd. Valid values: true: enables the parameter settings. false (default): disables the parameter settings. Important If you do not enable the parameter settings for a self-managed Kubernetes cluster whose container runtime is containerd, Logtail may fail to collect logs.

Install Logtail and other dependent components.
Note
You can run the echo "$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m)" command to query the operating system-architecture of your host. The k8s-custom-install.sh script supports the following operating system-architecture combinations: linux-386, linux-amd64, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, and darwin-amd64. If you have other requirements, submit a ticket.
```
bash k8s-custom-install.sh; kubectl apply -R -f result
```

The following table describes the Simple Log Service resources that are automatically created after you install Logtail and dependent components.

Important

When you install Logtail on a self-managed Kubernetes cluster, the privileged permission is granted to Logtail by default. This is to avoid the container text file busy error that may occur when you delete other pods. For more information, see Bug 1468249, Bug 1441737, and issue 34538.

Resource type	Resource name	Description	Example
Machine group	k8s-group-`<YOUR_CLUSTER_ID>`	The machine group of logtail-daemonset, which is used in log collection scenarios.	k8s-group-my-cluster-123
	k8s-group-`<YOUR_CLUSTER_ID>`-statefulset	The machine group of logtail-statefulset, which is used in metric collection scenarios.	k8s-group-my-cluster-123-statefulset
	k8s-group-`<YOUR_CLUSTER_ID>`-singleton	The machine group of a single instance, which is used to create a Logtail configuration for the single instance.	k8s-group-my-cluster-123-singleton
Logstore	config-operation-log	The logstore is used to store logs of the alibaba-log-controller component. We recommend that you do not create a Logtail configuration for the logstore. You can delete the logstore. After the logstore is deleted, the system no longer collects the operational logs of the alibaba-log-controller component. You are charged for the logstore in the same manner as you are charged for regular logstores. For more information, see Billable items of pay-by-ingested-data.	None

Step 2: Create a Logtail configuration

The following table describes the methods that you can use to create a Logtail configuration. We recommend that you use only one method to manage a Logtail configuration:

Method	Description	Scenario
CRD - AliyunPipelineConfig (recommended)	You can use the AliyunPipelineConfig CRD, which is a Kubernetes CRD, to manage a Logtail configuration.	This method is suitable for scenarios in which complex collection and processing, and version consistency between the Logtail configuration and the Logtail container in a self-managed Kubernetes cluster are required. Note The version of Logtail components must be later than 0.5.1. For more information about how to upgrade Logtail, see Upgrade Logtail.
Simple Log Service console	You can manage a Logtail configuration in the GUI based on quick deployment and configuration.	Suitable for creating and managing a small number of Logtail collection configurations. Some advanced features and custom requirements cannot be implemented through this method.
CRD-AliyunLogConfig	You can use the AliyunLogConfig CRD, which is an old version CRD, to manage a Logtail configuration.	This method is suitable for known scenarios in which Logtail configurations can be managed by using the old version CRD. You must gradually replace the AliyunLogConfig CRD with the AliyunPipelineConfig CRD to obtain better extensibility and stability. For more information about the differences between the two CRDs, see CRD types.

CRD - AliyunPipelineConfig (recommended)

To create a Logtail configuration, you need to only create a Custom Resource (CR) from the AliyunPipelineConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

If you create a Logtail configuration by creating a CR and you want to modify the Logtail configuration, you can only modify the CR. If you modify the Logtail configuration in the Simple Log Service console, the new settings are not synchronized to the CR.

Log on to your Kubernetes cluster.

Modify the parameters in the following YAML example as needed, copy and paste it into the template, then click Create.

Note

You can use the Logtail configuration generator to create a target scenario YAML script. This tool helps you quickly complete the configuration and reduces manual operations.

The example YAML file below captures standard output from Pods labeled with app: ^(.*test.*)$ within the default namespace, using multi-line text mode, and forwards it to a logstore called k8s-stdout, which is automatically created within a project named k8s-log-<YOUR_CLUSTER_ID>. Adjust the parameters in the YAML as needed:

project: Log on to the Simple Log Service Console, and identify the project name created by the Logtail you installed, typically in the format k8s-log-<YOUR_CLUSTER_ID>.
IncludeK8sLabel: Used to filter the labels of the target pod. For example, app: ^(.*test.*)$ indicates that the label key is app, and it will collect pods with values that include test.
Endpoint and Region: For example, ap-southeast-1.log.aliyuncs.com and ap-southeast-1.

For more information on config in the YAML file, such as supported inputs, outputs, processing plug-in types, and container filtering methods, see PipelineConfig. For a comprehensive list of YAML parameters, see CR parameters.

apiVersion: telemetry.alibabacloud.com/v1alpha1
# Create a ClusterAliyunPipelineConfig.
kind: ClusterAliyunPipelineConfig
metadata:
  # Specify the name of the resource. The name must be unique in the current Kubernetes cluster. This name is also the name of the Logtail configuration created. 
  name: example-k8s-stdout
spec:
  # Specify the target project.
  project:
    name: k8s-log-<YOUR_CLUSTER_ID>
  # Create a logstore for storing logs.
  logstores:
    - name: k8s-stdout
  # Define the Logtail configuration.
  config:
    # Sample log (optional)
    sample: |
      2024-06-19 16:35:00 INFO test log
      line-1
      line-2
      end
    # Define input plug-ins.
    inputs:
          # Use the service_docker_stdout plug-in to collect text logs inside the container.
      - Type: service_docker_stdout
        Stdout: true
        Stderr: true
        # Configure container information filter conditions. Multiple options are in an "and" relationship.
        # Specify the namespace to which the pod containing the container to be collected belongs. Supports regular expression matching.
        K8sNamespaceRegex: "^(default)$"
        # Enable container metadata preview.
        CollectContainersFlag: true
        # Collect containers that meet the Pod label conditions. Multiple entries are in an "or" relationship.
        IncludeK8sLabel:
          app: ^(.*test.*)$
        # Configure multi-line chunk configuration. Invalid configuration for single-line log collection.
        # Configure the regular expression for the beginning of the line.
        BeginLineRegex: \d+-\d+-\d+.*
    # Define output plug-ins
    flushers:
      # Use the flusher_sls plug-in to send logs to the specified logstore.
      - Type: flusher_sls
        # Make sure that the logstore exists.
        Logstore: k8s-stdout
        # Make sure that the endpoint is valid.
        Endpoint: ap-southeast-1.log.aliyuncs.com
        Region: ap-southeast-1
        TelemetryType: logs

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you created. Logtail starts to collect standard output from containers and sends the collected logs to Simple Log Service.

CRD-AliyunLogConfig

To create a Logtail configuration, you need to only create a CR from the AliyunLogConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

Log on to your Kubernetes cluster.

Create a file named example-k8s-file.yaml.

The YAML script creates a Logtail configuration named simple-stdout-example. The Logtail configuration collects standard output in multi-line mode from all containers whose names start with app in the cluster. The collected logs are sent to the k8s-stdout Logstore in the k8s-log-<your_cluster_id> project.

For more information about the logtailConfig field in the YAML file, including the supported input, output, and processing plug-ins and container filtering methods, see AliyunLogConfigDetail. For more information about the parameters in the YAML file, see CR parameters.

# Standard output configuration
apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # The name of the resource. The name must be unique in your Kubernetes cluster.
  name: simple-stdout-example
spec:
  # Specify the name of the project. If you leave this parameter empty, the project named k8s-log-<your_cluster_id> is used.
  # project: k8s-log-test
  # The name of the Logstore. If the Logstore that you specify does not exist, Simple Log Service automatically creates a Logstore.
  logstore: k8s-stdout
  # Configure the Logtail configuration.
  logtailConfig:
    # The type of the data source. If you want to collect stdout logs, you must set the value to plugin.
    inputType: plugin
    # The name of the Logtail configuration. The name must be the same as the resource name that is specified in metadata.name.
    configName: simple-stdout-example
    inputDetail:
      plugin:
        inputs:
          - type: service_docker_stdout
            detail:
              # The settings that allow Logtail to collect both stdout and stderr logs.
              Stdout: true
              Stderr: true
              # Specify the namespace of the pods to which the required containers belong. Regular expression matching is supported.
              K8sNamespaceRegex: "^(default)$"
              # Specify the name of the required containers. Regular expression matching is supported.
              K8sContainerRegex: "^(app.*)$"
              # Configure settings for multi-line log collection.
              # Specify the regular expression that is used to match the beginning of the first line of a log.
              BeginLineRegex: \d+-\d+-\d+.*

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you created. Logtail starts to collect standard output from containers and sends the collected logs to Simple Log Service.

Simple Log Service console

Log on to the Simple Log Service console.
In the Projects section, click the project that you used when you installed the Logtail component, for example, k8s-log-<your_cluster_id>. On the project details page, click the Logtail Configuration tab next to the target Logstore. Add a Logtail configuration and click Kubernetes-Standard Output-Old Version.
Because you have installed the Logtail component for the ACK cluster in the previous step, click Use Existing Machine Group.
On the Machine Group Configuration page, select the k8s-group-${your_k8s_cluster_id} machine group in the ACK DaemonSet Mode section of the Kubernetes scenario, click > to add the machine group to the Selected Machine Groups section, and then click Next.
Create a Logtail configuration. Configure the required parameters and click Next. Approximately 1 minute is required to create a Logtail configuration.
This section describes only the required parameters. For more information about the parameters, see Logtail configuration.
- Global Configuration
  In the Global Configuration section, enter a configuration name.
Create Index and Preview Data: Simple Log Service enables full-text indexing by default. In this case, all fields in logs are indexed for queries. You can also manually create field indexes based on the collected logs, or click Auto-generate Index. Simple Log Service generates field indexes that you can use to perform term queries on specific fields. This reduces indexing fees and improves query efficiency. For more information, see Create indexes.

Step 3: Query and analyze logs

Log on to the Simple Log Service console.
In the Projects section, click the project you want to go to its details page.
In the left-side navigation pane, click the icon of the logstore you want. In the drop-down list, select Search & Analysis to view the logs that are collected from your Kubernetes cluster.

Default fields for container standard output (old version)

Each container standard output has the following default fields:

Field Name	Description
_time_	Log collection time.
_source_	Log source type, stdout or stderr.
_image_name_	Image name
_container_name_	Container name
_pod_name_	Pod name
_namespace_	Namespace where the pod is located
_pod_uid_	Unique identifier of the pod

References

Query and analyze logs.
Create a dashboard to monitor the status of systems, applications, and services.
Configure alert rules to automatically generate alerts for exceptions in logs.
Troubleshoot collection errors: