Host text log collection - Simple Log Service - Alibaba Cloud Documentation Center

This topic describes how to configure the LoongCollector (Logtail) collector to incrementally collect text logs from ECS instances, self-managed Linux/Windows servers, and other hosts. If you want to collect full logs, you can import historical logs.

Basic collection configuration: This is required when you configure LoongCollector (Logtail) collection. It defines the core parameters of the collection task to ensure that log data is successfully collected and transmitted to the specified Logstore in the project.

Advanced collection configuration (optional): After completing the basic collection configuration, you can perform operations such as data masking and filtering on log content to meet more refined log collection requirements.

Preparations

Permissions

If you log on with an Alibaba Cloud account, you have all operation permissions by default and can directly perform related operations.

If you log on with a RAM user, contact the Alibaba Cloud account owner to grant permissions by using system policies or custom policies:

System policies: These are predefined policies created and maintained by Simple Log Service. You can directly use them but cannot modify their content.
- AliyunLogFullAccess: This policy grants the permissions to manage Simple Log Service resources.
- AliyunLogReadOnlyAccess: This policy grants the read-only permissions on all Simple Log Service resources.

Custom policies: If you have high data security requirements, you can create custom policies to implement fine-grained permission management, such as:

Replace ${regionName}, ${uid}, ${projectName}, and ${logstoreName} in the Resource field with your region name, Alibaba Cloud account ID, project name to access, and Logstore name to query.

To manage Logstores and collection configurations in existing projects of the Alibaba Cloud account and view collected logs, the Alibaba Cloud account needs to create and bind a custom policy with the least privilege as follows:

{
  "Version": "1",
  "Statement": [
    {
    # Read-only access to Project
      "Effect": "Allow",
      "Action": [
        "log:ListProject",
        "log:GetAcceleration",
        "log:ListDomains",
        "log:GetLogging",
        "log:ListTagResources"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetProject",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}"
    },
    {
    # Manage Logstore
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:*LogStore",
        "log:*Index",
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetLogStoreHistogram",
        "log:GetLogStoreContextLogs"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/*"
    },
    {
    # Manage LoongCollector (Logtail) data ingestion
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": [
        "acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/*",
        "acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/*"
      ]
    },
    {
    # Query saved searches
      "Effect": "Allow",
      "Action": "log:ListSavedSearch",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/*"
    },
    {
    # Query dashboards
      "Effect": "Allow",
      "Action": "log:ListDashboard",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/dashboard/*"
    }
    # Query logs from a specific Logstore
    {
      "Effect": "Allow",
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}"
    }
  ]
}

To configure collection for existing Logstores of the Alibaba Cloud account, the Alibaba Cloud account needs to create and bind a custom policy with the least privilege as follows:

{
  "Version": "1",
  "Statement": [
    {
    # Read-only access to Project
      "Effect": "Allow",
      "Action": [
        "log:ListProject",
        "log:GetAcceleration",
        "log:ListDomains",
        "log:GetLogging",
        "log:ListTagResources"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetProject",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}"
    },
    {
    # Read-only access to Logstore
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:GetLogStore",
        "log:GetLogStoreHistogram",
        "log:GetIndex",
        "log:CreateIndex",
        "log:UpdateIndex",
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetLogStoreContextLogs"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/*"
    },
    {
    # Manage LoongCollector (Logtail) data ingestion
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": [
        "acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/*",
        "acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/*"
      ]
    },
    {
    # Query saved searches
      "Effect": "Allow",
      "Action": "log:ListSavedSearch",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/*"
    },
    {
    # Query dashboards
      "Effect": "Allow",
      "Action": "log:ListDashboard",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/dashboard/*"
    }
     # Query logs from a specific Logstore
    {
      "Effect": "Allow",
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}"
    }
  ]
}

Create a project

If you do not have an available project, follow these steps to create a basic project. For more information, see Manage projects.

Log on to the Simple Log Service console, click Create Project, and complete the following basic configuration. You can keep other settings at their default values:

Region: Select an appropriate Alibaba Cloud region based on the log source and other information. After a project is created, its region cannot be changed.
Project Name: Set a name that is unique within the Alibaba Cloud region. After a project is created, its name cannot be changed.

Create a Logstore

If you do not have an available Logstore, follow these steps to create a basic Logstore. For more information, see Manage Logstores.

Log on to the Simple Log Service console, and click the project that manages your log resources in the Project List.
On the Storage > Logstores tab, click the + icon.
Enter a Logstore Name and keep other settings at their default values.

Install LoongCollector (Logtail)

LoongCollector is a new generation log collection agent launched by Alibaba Cloud Simple Log Service (SLS), serving as an upgraded version of Logtail.

When your ECS instance and the Simple Log Service project are in the same account and same region, choose Automatic Installation.

Choose Manual Installation in any of the following situations:

The ECS instance and the Simple Log Service project are in the same account but different regions.
The ECS instance and the Simple Log Service project belong to different accounts.
The server is from another cloud provider or is self-managed.

Automatic installation

To automatically install LoongCollector (Logtail) on an ECS instance, you need operation permissions for OOS resources. If you log on with an Alibaba Cloud account, you have all operation permissions by default and can directly perform related operations.

If you log on with a RAM user, contact the Alibaba Cloud account owner to grant you permissions to operate OOS resources. The Alibaba Cloud account can grant permissions to you by using system policies or custom policies:

System policies:
- AliyunOOSFullAccess: This policy grants all permissions to manage CloudOps Orchestration Service (OOS).
- AliyunECSFullAccess: This policy grants the permissions to manage ECS instances.

Custom policies: If you have high data security requirements, you can create custom policies to implement fine-grained authorization. The following is a policy for operating OOS resources:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:DescribeInstances",
                "ecs:DescribeInvocationResults",
                "ecs:RunCommand",
                "ecs:DescribeInvocations",
                "ecs:InvokeCommand"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oos:ListTemplates",
                "oos:StartExecution",
                "oos:ListExecutions",
                "oos:GetExecutionTemplate",
                "oos:ListExecutionLogs",
                "oos:ListTaskExecutions"
            ],
            "Resource": "*"
        }
    ]
}

By following these steps, you can automatically install LoongCollector (Logtail) on an ECS instance while creating and configuring a machine group. This section provides only the necessary operations for automatic installation. For more information, see Install, run, upgrade, and uninstall LoongCollector (Logtail):

Log on to the Simple Log Service console, click the Project that is used to manage log resources to view the list of Logstores, click the icon before the name of the target Logstore to expand it, then click the icon next to Data Ingestion, select a text log template in the dialog box that appears, and click Ingest Data Now.
Simple Log Service provides multiple text log import templates such as regular, single-line, and multi-line templates. These templates differ only in log parsing plugins, with all other configurations being identical. Additionally, you can add or remove log parsing plugins within the templates. You can select a template based on the characteristics of the logs to be collected, or select any text log template and then configure plugins based on the log characteristics.
On the Machine Group Configuration page, select Host as the scenario and ECS as the installation environment, and then click Create Machine Group.
In the Create Machine Group panel, select ECS instances in the same region as the project (you can select multiple ECS instances), click Install And Create Machine Group, wait for the installation to complete, configure a machine group Name, and click OK.
Note
If the installation fails or remains in a waiting state, check whether the ECS region is the same as the project region.
After installation, you can go to the Resources > Machine Groups page, click the newly created machine group, and check the Heartbeat status in the Machine Group Configuration > Machine Group Status section. If the heartbeat status is OK, the creation is successful.

Manual installation

If you log on with an Alibaba Cloud account, you have all operation permissions by default and can directly perform related operations.

If you log on with a RAM user, you need to request the system policy for operating ECS from the Alibaba Cloud account owner:

AliyunECSFullAccess: This policy grants the permissions to manage ECS instances.

For fine-grained permission control, see Create custom policies to implement fine-grained authorization.

To manually install LoongCollector (Logtail), you need to complete the following core operations in sequence: download and install LoongCollector (Logtail), configure a user identifier, and create a machine group. This section describes the necessary operations to manually install LoongCollector (Logtail) on Linux/Windows servers in a public network environment.

Download and install LoongCollector (Logtail):

Note

Refer to Supported regions to replace ${region_id} in the sample code. For example, for China (Hangzhou), the ${region_id} is cn-hangzhou.

Environment

Download LoongCollector (Logtail)

Install LoongCollector (Logtail)

Verify installation

Linux

Download in a public network environment:

# Download loongcollector
wget http://aliyun-observability-release-${region_id}.oss-${region_id}.aliyuncs.com/loongcollector/linux64/latest/loongcollector.sh -O loongcollector.sh;

# Download logtail
wget http://logtail-release-${region_id}.oss-${region_id}.aliyuncs.com/linux64/logtail.sh -O logtail.sh;

# Install loongcollector
chmod +x loongcollector.sh; ./loongcollector.sh install ${region_id}-internet

# Install logtail
chmod +x logtail.sh; ./logtail.sh install ${region_id}-internet

Check the LoongCollector (Logtail) service status:

# loongcollector
sudo /etc/init.d/loongcollectord status
# logtail
sudo /etc/init.d/ilogtaild status

If the system returns loongcollector is running or ilogtail is running, Logtail is installed. If Logtail is not running, uninstall and then reinstall it.

Windows

Note

LoongCollector does not support Windows systems.

Regions in China: Logtail installation package 32-bit, Logtail installation package 64-bit
Regions outside China: Logtail installation package 32-bit, Logtail installation package 64-bit

First extract the installation package, then run Windows PowerShell or cmd as an administrator in the extracted directory logtail_installer, and execute the following command.

.\logtail_installer.exe install ${region_id}-internet

Open the Run window, enter services.msc, and open the Services window.
Check the running status of the following services: LogtailDaemon service (Logtail 1.0.0.0 and later versions) or LogtailWorker service (Logtail 0.x.x.x versions).
If the service status shows "Running", Logtail has been successfully installed and started.

Configure a user identifier: The user identifier configuration file contains the Alibaba Cloud account ID information, which is used to identify that this server has permission to be accessed and have its logs collected by the account.

You only need to configure a user identifier when collecting logs from non-Alibaba Cloud account ECS instances, self-managed IDCs, or servers from other cloud providers. You can skip this step if your ECS instance and the project that manages log resources belong to the same Alibaba Cloud account.

Copy the Alibaba Cloud account ID: Hover your mouse over the profile picture in the upper-right corner, and view and copy the account ID from the pop-up tab.

Log on to the server from which you want to collect data, and create an Alibaba Cloud account ID file to configure the user identifier:

Environment

Command

Linux

touch /etc/ilogtail/users/{Alibaba Cloud account ID} # If the /etc/ilogtail/users directory does not exist, manually create it. The user identifier configuration file only needs a file name without a file extension.

Windows

Note

LoongCollector does not support Windows systems.

type nul > C:\LogtailData\users\{Alibaba Cloud account ID}

Create a machine group: Used to manage and organize log collection work for multiple servers.

Create a machine group identifier: Simple Log Service establishes a heartbeat connection with LoongCollector (Logtail) on the host by discovering the custom identifier.

Important

Linux and Windows servers are not allowed to exist in the same Machine Group. Do not configure the same Custom Identifier on Linux and Windows servers.
A server can be configured with multiple Custom Identifiers, separated by line feeds.

Create a Custom Identifier file user_defined_id in the specified directory (create the directory manually if it does not exist), and configure a custom identifier. This example uses user-defined-1:

By default, adding, deleting, or modifying the custom identifier file takes effect within 1 minute.

Environment	Command
Linux	`echo "user-defined-1" > /etc/ilogtail/user_defined_id`
Windows Note LoongCollector does not support Windows systems.	Manually enter `user-defined-1` in the `C:\LogtailData\user_defined_id` file and save it.

Configure the machine group: Log on to the Simple Log Service console, click the Project that is used to manage log resources, and in the left-side navigation pane, select Resource > Machine Group. Click > Create Machine Group to the right of Machine Groups, and then click OK after you complete the configuration.
1. Set a machine group name.
2. Machine Group Identification: Select Custom Identifier.
3. Custom Identifier: Manually enter user-defined-1.
Confirm that the machine group is created successfully: After installation, you can go to the Resources > Machine Groups page, click the newly created machine group, and check the Heartbeat status in the Machine Group Configuration > Machine Group Status section. If the heartbeat status is OK, the creation is successful.

Basic collection configuration

After confirming that you meet the prerequisites, you can start the basic configuration. You can also refer to Advanced collection configuration to perform operations such as data masking and filtering on log content to meet more refined log collection requirements.

Log on to the Simple Log Service console, click the project that is used to manage log resources to view the list of Logstores, and click the icon before the name of the Logstore that is used to store logs to expand it. Then, click the icon next to Data Import, enter Text Log in the search box to search for a template, select a suitable template, and click Access Now:

Simple Log Service provides multiple text log import templates such as regular, single-line, and multi-line templates. These templates differ only in log parsing plugins, with all other configurations being identical. Additionally, you can add or remove log parsing plugins within the templates. You can select a template based on the characteristics of the logs to be collected, or select any text log template and then configure and combine plugins.

Single-line text log collection: Stores the entire log line in the content field (preserving the original text). This is suitable for quickly collecting logs that do not require analysis (such as temporary debugging). It is simple to operate, but when analyzing later, you need to manually extract information through fuzzy searches, which has a high analysis cost.
Other text log collection: Selecting built-in parsing functions (such as Nginx/JSON/regex) based on the log format automatically extracts key fields (such as status=200, method=GET), making queries and analysis more efficient. This is suitable for logs that need frequent long-term analysis. Although parsing rules need to be configured, it significantly reduces the cost of queries and analysis.

Comparison example (using Nginx logs as an example)

Original log:`127.0.0.1 - [2024-01-01] "GET /api HTTP/1.1" 200 340`
Simple mode (single-line text log) collection result	Parsing plugin (Nginx) parsing result
`content: "127.0.0.1 - [2024-01-01] \"GET /api HTTP/1.1\" 200 340"`	`client_ip: 127.0.0.1 time: 2024-01-01 method: GET path: /api status: 200`

Simple single-line

Example:

Original log

Original log stored entirely in content

Aug 19 11:20:51 hostname-1 crond[2995]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

content: Aug 19 11:20:51 hostname-1 crond[2995]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

Select the Single-line - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

On the Query And Analysis Configuration page, preview the data, click Auto Generate Index, and Simple Log Service will generate field indexes. These indexes allow you to perform exact queries on specific fields, thereby reducing indexing costs and improving query efficiency. After completion, click Next to finish the configuration.

Regular expression parsing

Example: Use the regular expression (\S+)\s-\s(\S+)\s\[([^]]+)]\s"(\w+)\s(\S+)\s([^"]+)"\s(\d+)\s(\d+)\s"([^"]+)"\s"([^"]+).* for parsing.

Original log

Custom regular expression parsing

127.0.0.1 - - [16/Aug/2024:14:37:52 +0800] "GET /wp-admin/admin-ajax.php?action=rest-nonce HTTP/1.1" 200 41 "http://www.example.com/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"

body_bytes_sent: 41
http_referer: http://www.example.com/wp-admin/post-new.php?post_type=page
http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; ×64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
remote_addr: 127.0.0.1
remote_user: -
request_method: GET
request_protocol: HTTP/1.1
request_uri: /wp-admin/admin-ajax.php?action=rest-nonce
status: 200
time_local: 16/Aug/2024:14:37:52 +0800

Select the Regex - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection:

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration:
- Add Sample Log: Make sure to use a sample log from the actual scenario where logs are to be collected. Configuring a sample log can help you configure log processing parameters and reduce configuration difficulty.
- Configure Data Parsing (Regex Mode) plugin: Click Data Parsing (Regex Mode), and configure the regular expression and log extraction fields.
  - Regular Expression: Used to match logs. You can automatically generate or manually enter a regular expression.
    - If you have provided a sample log, you can click Auto Generate Regular Expression, select the log content that you want to extract in the Sample Log, and click Generate to automatically generate a regular expression.
    - Manually Enter A Regular Expression based on the log content. If you have provided a sample log, you can click Validate to test whether the regular expression can correctly parse the log content.
  - Log Extraction Fields: Set corresponding field names (Keys) for the extracted log content (Values).

Delimiter parsing

Example:

Original log

Split fields by the specified character,

05/May/2025:13:30:28,10.10.*.*,"POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",200,18204,aliyun-sdk-java

ip:10.10.*.*
request:POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1
size:18204
status:200
time:05/May/2025:13:30:28
user_agent:aliyun-sdk-java

Select the Delimiter - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection:

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: Configure the Data Parsing (Delimiter Mode) plugin.
- Delimiter: Select the correct delimiter based on the log content. For example, for CSV file format, click the drop-down list, select Custom, and enter a comma (,).
- Quote: When the content of a log field contains delimiters, you need to specify a quote character to wrap the content. Content wrapped by quote characters will be parsed as a complete field.
- Log Extraction Fields: Set keys for the values after splitting according to the delimiter order. Keys can only contain letters, digits, or underscores (_), and must start with a letter or underscore (_). A key can be up to 128 bytes in length.

Standard JSON parsing

Example:

Original log

Standard JSON key-value automatic extraction

{"url": "POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek********&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1", "ip": "10.200.98.220", "user-agent": "aliyun-sdk-java", "request": {"status": "200", "latency": "18204"}, "time": "05/Jan/2025:13:30:28"}

ip: 10.200.98.220
request: {"status": "200", "latency" : "18204" }
time: 05/Jan/2025:13:30:28
url: POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek******&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1
user-agent:aliyun-sdk-java

Select the JSON - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: Configure the Data Parsing (JSON Mode) plugin, which extracts the keys at the first level of the Object as Keys and the values at the first level of the Object as Values.
- Original Field: The original field that stores the log content before parsing. The default value is content.

Nested JSON parsing

Example: The original log is as follows. Expand the original field in JSON format and use the expansion depth as a prefix.

{"s_key":{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}}

Expansion depth	Multi-level JSON parsing log
0	`0_s_key_k1_k2_k3_k41:41 0_s_key_k1_k2_k3_k4_k51:51 0_s_key_k1_k2_k3_k4_k52:52`
1	`1_s_key:{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}`

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: Click Add Processing Plugin, select Extended Processing Plugin > Expand JSON Fields, and configure the following settings.
- Original Field: The name of the original field to be expanded.
- JSON Expansion Depth: The default value is 0, which means expanding to the deepest level that can be successfully parsed; 1 means the current level, and so on.
- JSON Expansion Connector: The connector for field names during JSON expansion. The default value is an underscore (_).
- JSON Expansion Field Prefix: Specify the prefix for field names after JSON expansion.
- Expand Array: Specify whether to expand array-type fields. For example, {"k":["1","2"]} will be expanded to {"k[0]":"1","k[1]":"2"}.
  If you want to modify field names, you can use the Rename Fields plugin in combination to map expanded field names to new field names, thereby meeting the requirements for log processing and analysis.

JSON array parsing

Example:

Original log	Extract JSON array structure
`[{"key1":"value1"},{"key2":"value2"}]`	`json1:{"key1":"value1"} json2:{"key2":"value2"}`

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration:
- Processing Mode: Select SPL.
- SPL Statement: You can use the json_extract function to extract JSON objects from a JSON array. For more JSON functions, see Basic syntax and examples of JSON functions.
  - Example: Extract elements from the JSON array in the log field content and store the results in new fields json1 and json2.
```
* | extend json1 = json_extract(content, '$[0]'), json2 = json_extract(content, '$[1]')
```

Nginx log parsing

Example:

Original log

Parse into key-value pairs based on the definition oflog_format main

192.168.*.* - - [15/Apr/2025:16:40:00 +0800] "GET /nginx-logo.png HTTP/1.1" 0.000 514 200 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.*.* Safari/537.36"

body_bytes_sent: 368
http_referer: -
http_user_agent : Mozi11a/5.0 (Nindows NT 10.0; Win64; x64) AppleMebKit/537.36 (KHTML, like Gecko) Chrome/131.0.x.x Safari/537.36
remote_addr:192.168.*.*
remote_user: -
request_length: 514
request_method: GET
request_time: 0.000
request_uri: /nginx-logo.png
status: 200
time_local: 15/Apr/2025:16:40:00

Select the Nginx - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection:

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: Configure the Data Parsing (NGINX Mode) plugin.
- Choose whether to enable multi-line mode in the processing configuration based on your needs. If enabled, configure the first line regular expression.
- In the processing mode, select the processing plugin combination, click Add Processing Plugin, select the Data Parsing (NGINX Mode) plugin, and enter the following content in NGINX Log Configuration, then click OK.
```
log_format main  '$remote_addr - $remote_user [$time_local] "$request" ''$request_time $request_length ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent"';
```
  Note
  The Data Parsing (NGINX Mode) plugin supports structuring log content based on the definition in log_format, parsing it into multiple key-value pairs. If the default content does not meet your requirements, you can use a custom format.

IIS log parsing

Example:

Original log

Microsoft IIS server specific format adaptation

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

c-ip: cs-username
cs-bytes: sc-substatus
cs-method: cs-method
cs-uri-query: cs-uri-query
cs-uri-stem: cs-uri-stem
cs-username: s-port
date: #Fields:
s-computername: s-sitename
s-ip: s-ip
s-sitename: time
sc-bytes: sc-status
sc-status: c-ip
sc-win32-status: cs (User-Agent)
time: date
time-taken: sc-win32-status

Select the IIS - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection:

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as C:/Program Files/Intel/*/.Log.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: The Data Parsing (IIS Mode) plugin supports structuring log content based on the IIS log file format definition, parsing it into multiple key-value pairs.
- Choose whether to enable multi-line mode in the processing configuration based on your needs. If enabled, configure the first line regular expression.
- In the processing mode, select the processing plugin combination, click Add Processing Plugin, select the Data Parsing (IIS Mode) plugin, select the log format and IIS configuration fields, and click OK.
  - Log Format: Select the log format used by your IIS server.
    - IIS: Microsoft IIS log file format.
    - NCSA: NCSA Common log file format.
    - W3C: W3C Extended log file format.
  - IIS Configuration Fields: If you select IIS or NCSA, Simple Log Service sets the IIS configuration fields by default. If you select W3C, set this parameter to the value of the logExtFileFlags parameter in your IIS configuration file. For example:
```
logExtFileFlags="Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken, ServerPort, UserAgent, Cookie, Referer, ProtocolVersion, Host, HttpSubStatus"
```

On the Query And Analysis Configuration page, preview the data, click Auto Generate Index, and Simple Log Service will generate field indexes. These indexes allow you to performexact queries on specific fields, thereby reducing indexing costs and improving query efficiency. After completion, click Next to finish the configuration.

Apache log parsing

Example: The parsing result of the combined format log is as follows

Original log

Apache Common Log Formatcombined parsing

1 192.168.1.10 - - [08/May/2024:15:30:28 +0800] "GET /index.html HTTP/1.1" 200 1234 "https://www.example.com/referrer" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36"

http_referer:https://www.example.com/referrer
http_user_agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36
remote_addr:192.168.1.10
remote_ident:-
remote_user:-
request_method:GET
request_protocol:HTTP/1.1
request_uri:/index.html
response_size_bytes:1234
status:200
time_local:[08/May/2024:15:30:28 +0800]

Select the Apache - Text Log template. On the Machine Group Configuration page, select the installation environment and machine group, and click Next to go to the Logtail Configuration page. Configure the following settings and click Next:

Global Configuration: Enter a configuration name

Input Configuration:

File Path: The path for log collection:

Linux	Starts with "/", such as `/data/mylogs/*/.log`, which indicates all files with the .log extension in the `/data/mylogs` directory.
Windows	Starts with a drive letter, such as `C:/Program Files/Intel/*/.Log`.

Maximum Directory Monitoring Depth: The maximum directory depth that the wildcard ** in the File Path can match. The default value is 0, which indicates that only the current directory is monitored.

Processing Configuration: Data Parsing (Apache Mode) plugin, using the combined log format as an example.
- Log Format: combined
- APACHE Configuration Fields: When Log Format is set to combined, the configuration fields for the corresponding format are automatically filled in. Please confirm whether they are consistent with the format defined in the Apache configuration file.

Advanced collection configuration

While performing basic collection configuration, you can also refer to the following operations for advanced configuration to meet more refined log collection requirements, or you can adjust the configuration after completing the basic configuration. The following are common advanced configurations and their functions:

LoongCollector (Logtail) provides processing plugins to further parse raw logs into structured data. Processing plugins are divided into native processing plugins and extended processing plugins. This section covers the use of native processing plugins.

On the target project page, click the icon to expand the target Logstore, click Logtail Configurations, click Manage Logtail Configuration in the Actions column of the target Logtail configuration, and click Edit on the configuration page.
On the Logtail Configuration page, you can select appropriate operations from the following scenarios to modify the collection configuration rules as needed:
- Configure multi-line log collection: When the content of a log (such as exception stack information) occupies multiple lines, you need to enable multi-line mode and configure a first line regular expression to match the starting line of the log. This allows multiple lines to be collected and stored as a single log in Simple Log Service.
- Allow file to be collected multiple times: Allow a log file to be collected by multiple LoongCollector (Logtail) configurations.
- Configure log topic type: Set different topics for different log streams to better organize and categorize log data, making it easier to manage and retrieve related logs.
- Configure collection blacklist: Ignore specified directories or files during collection. You can configure blacklists by file path, file, or directory.
- Log data masking: Mask sensitive information in logs before saving them to Simple Log Service.
- Log content filtering: When there are many invalid logs in the original logs that do not need to be saved to Simple Log Service, you can use log filtering to remove them.
- Specify log time: Allows you to parse the time field from logs and set the result as the __time__ field.
- Log compression: If you want to optimize log transmission efficiency, you can configure a compression method. The supported methods are lz4 and zstd.

Comparison example (using the data masking plugin as an example)

Original log:`{"account":1111111,"password":"dewefege"}`
JSON text log collection result	Data masking plugin parsing result
`account:1111111 password:dewefege`	`account:1111111 password:********`

Configure multi-line log collection

Simple Log Service defaults to single-line mode, which splits and stores logs by line. This causes multi-line logs containing stack information to be split line by line, with each line stored and displayed as an independent log, which is not conducive to analysis.

To address this issue, you can enable multi-line mode to change how Simple Log Service splits logs, and configure a regular expression to match the starting line of logs. This allows the original logs to be split and stored according to the starting line rules. Example:

Original log:

[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened
    at TestPrintStackTrace.f(TestPrintStackTrace.java:3)
    at TestPrintStackTrace.g(TestPrintStackTrace.java:7)
    at TestPrintStackTrace.main(TestPrintStackTrace.java:16)

Comparison between single-line mode and multi-line mode:

Single-line mode: Each line is treated as an independent log, stack information is broken apart, losing context	Multi-line mode: Complete logs are identified through first line regular expressions, preserving the complete semantic structure
	`content:[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)`

Configure multi-line mode on the Logtail Configuration page. After configuration, click Save:

Processing Configuration: Enable Multi-line Mode.
Type: Select Custom or Multi-line JSON.
- Custom: The format of the original logs is not fixed, and you need to configure a First Line Regular Expression to identify the starting line of each log.
  - First Line Regular Expression: Supports automatic generation or manual input. The regular expression needs to match a complete line of data. For the example above, the matching regular expression is \[\d+-\d+-\w+:\d+:\d+,\d+]\s\[\w+]\s.*.
    - Click Auto Generate Regular Expression, then in the Sample Log text box, select the log content you want to extract, and click Generate.
    - Click Manually Enter Regular Expression, enter the regular expression. After configuration, click Validate.
- Multi-line JSON: Select this when the original logs are all in standard JSON format. LoongCollector (Logtail) will automatically handle line breaks within a single JSON log.
Processing Method If Splitting Fails:
- Discard: Directly discard this log segment.
- Retain Single Line: Retain each line of log text as a separate log.

Configure log topic type

Configure the following settings on the Logtail Configuration page. After configuration, click Save:

Global Configuration > Other Global Configurations: Configure the log topic type.

Log Topic Type: Select the method to generate log topics.

Machine Group Topic: Simple Log Service supports applying one LoongCollector (Logtail) configuration to multiple machine groups. You can use Machine Group Topic to distinguish logs from different machine groups. When LoongCollector (Logtail) reports data, it uploads the Machine Group Topic of the server's machine group as the log topic to the project. You need to specify the log topic as a query condition when querying logs.

File Path Extraction: If different users or applications store logs in different top-level directories, but the subdirectories and log file names are the same, Simple Log Service cannot clearly distinguish which user or application generated the logs during log collection. In this case, the File Path Extraction method can be used to distinguish logs generated by different users or applications. You can use a regular expression to fully match the file path and upload the result of the expression match (user name or application name) as the log topic to Simple Log Service.

Use regular expressions to extract topics from file paths

Note

You must escape the forward slash (/) in a regular expression that is used to match a log file path.

Scenario 1: Different users record logs in different directories, but the log file names are the same. The directory paths are as follows.

/data/logs
├── userA
│   └── serviceA
│       └── service.log
├── userB
│   └── serviceA
│       └── service.log
└── userC
    └── serviceA
        └── service.log

If you only configure the file path as /data/logs and the file name as service.log in the Logtail Configuration, LoongCollector (Logtail) will collect the content of all three service.log files to the same Logstore, making it impossible to distinguish which user generated the logs. You can use a regular expression to extract values from the file path to generate different log topics.

Regular expression	Extraction result
`\/data\/logs\/(.)\/serviceA\/.`	`__topic__: userA __topic__: userB __topic__: userC`

Scenario 2: If a single log topic is not sufficient to distinguish the source of logs, you can configure multiple regular capturing groups in the log file path to extract key information. Capturing groups include named capturing groups (?P<name>) and unnamed capturing groups.

If you use named capturing groups, the generated tag field is __tag__:{name};
If you use unnamed capturing groups, the generated tag field is __tag__:__topic_{i}__, where {i} is the sequence number of the capturing group.

Note

When there are multiple capturing groups in the regular expression, the __topic__ field will not be generated.

For example, if the file path is /data/logs/userA/serviceA/service.log, you can extract multiple values from the file path using the following methods:

Example

Regular expression

Extraction result

Use unnamed capturing groups for regular extraction.

\/data\/logs\/(.*?)\/(.*?)\/service.log

__tag__:__topic_1__: userA
__tag__:__topic_2__: serviceA

Use named capturing groups for regular extraction.

\/data\/logs\/(?P<user>.*?)\/(?P<service>.*?)\/service.log

__tag__:user: userA
__tag__:service: serviceA

Verification: After configuration, query logs by log topic: On the log query and analysis page, enter the corresponding generated log topic, such as __topic__: userA or __tag__:__topic_1__: userA, to query logs with the respective topic. For more information, see Query syntax and features.

Custom: Enter customized:// + custom topic name to use a custom static log topic.

Allow file to be collected multiple times

Configure the following settings on the Logtail Configuration page:

Input Configuration: Enable Allow File To Be Collected For Multiple Times. By default, a log file can only match one LoongCollector (Logtail) configuration. When enabled, the same file can be collected by multiple LoongCollector (Logtail) configurations.

Configure collection blacklist

Configure the following settings on the Logtail Configuration page:

When a blacklist is in use, computational overhead is generated. We recommend that you add up to 10 entries to the blacklist.

Input Configuration > Other Input Configurations: Enable Collection Blacklist and select the appropriate blacklist method for configuration.
You can specify exact directories and file names. You can also use wildcard characters to specify directories and file names. When you configure this parameter, you can use only asterisks (*) or question marks (?) as wildcard characters.
- File Path Blacklist: Configure file paths to be ignored during collection. Examples:
  - /home/admin/private*.log: Ignore all files in the /home/admin/ directory that start with private and end with .log.
  - /home/admin/private*/*_inner.log: Ignore all files in directories under /home/admin/ that start with private and end with _inner.log.
- File Blacklist: Configure file names to be ignored during collection. Example:
  - app_inner.log: Ignore all files named app_inner.log during collection.
- Directory Blacklist: Directory paths cannot end with a forward slash (/). Examples of directory paths:
  - /home/admin/dir1/: The directory blacklist will not take effect.
  - /home/admin/dir*: Ignore all files in subdirectories that start with dir under the /home/admin/ directory during collection.
  - /home/admin/*/dir: Ignore all files in second-level subdirectories named dir under the /home/admin/ directory during collection. For example, files in the /home/admin/a/dir directory are ignored, while files in the /home/admin/a/b/dir directory are collected.

Log data masking

Example:

Original log

Parsed log

[{'account':'1812213231432969','password':'04a23f38'}, {'account':'1812213685634','password':'123a'}]

[{'account':'1812213231432969','password':'********'}, {'account':'1812213685634','password':'********'}]

On the Logtail Configuration page, click Add Processing Plugin in the Processing Configuration tab, select Native Processing Plugin > Data Masking, and configure the following settings:

Original Field: The original field that stores the log content before parsing.
Masking Method: Supports const and md5
- const: Replace sensitive content with the string you specify.
- md5: Replace sensitive content with its corresponding MD5 value.
Replacement String: When Masking Method is set to const, you need to enter a string to replace the sensitive content.
Content Expression Before Replacement: Used to find sensitive content. Configure using RE2 syntax.
Content Expression To Be Replaced: The expression for sensitive content. Configure using RE2 syntax.

Log content filtering

On the Logtail Configuration page, click Add Processing Plugin in the Processing Configuration tab, select Native Processing Plugin > Native Plugin: Data Filtering, and configure the whitelist: After configuration, only logs that meet the whitelist conditions will be collected.

Field Name: The log field to be filtered.
Field Value: The regular expression used for filtering. Only full-text matching is supported, not partial keyword matching.

Specify log time

On the Logtail Configuration page, click Add Processing Plugin in the Processing Configuration tab, select Native Processing Plugin > Time Parsing, and configure the following settings:

The Time Parsing plugin is typically used in combination with other plugins to parse time fields extracted from the original log and write the parsing results to the _time_ field.

Original Field: The original field that stores the log content before parsing.
Time Format: Set the corresponding time format based on the time content in the log.
Time Zone: Select the time zone of the log time field. If you do not select this parameter, the time zone of the environment where the Logtail process resides is used by default.

Log compression

Configure the following settings on the Logtail Configuration page:

Output Configuration: Specify the Compression Method for data transmission.
Note
When configuring Logtail through the SDK, if this field is not specified, the default compression method depends on the Logtail version:
- For Logtail 1.3.4 and earlier versions, the default is lz4.
- For versions after Logtail 1.3.4, the default is zstd.
When configuring LoongCollector through the SDK, if this field is not specified, the default compression method is zstd.
- lz4: Fast compression speed, relatively low compression ratio.
- zstd: High compression ratio, slightly lower speed, high memory usage.

Troubleshooting text log collection issues

Check if there are incremental logs: After configuring LoongCollector (Logtail) collection, if there are no new logs added to the log file to be collected, LoongCollector (Logtail) will not collect that file.

Check the machine group heartbeat status: Go to the Resources > Machine Groups page, click the target machine group name, and check the Heartbeat status in the Machine Group Configuration > Machine Group Status section.

If the heartbeat is OK, it indicates that the connection between the machine group and the Simple Log Service project is normal.

If the heartbeat is FAIL:

Check the user identifier: If your server type is not ECS, or if you are using an ECS instance that belongs to a different Alibaba Cloud account than the project, check whether the correct user identifier exists in the specified directory according to the following table.

System	Specified directory	Solution
Linux	`/etc/ilogtail/users/`	Execute the `cd /etc/ilogtail/users/ && touch <uid>` command to create a user identifier file.
Windows	`C:\LogtailData\users\`	Go to the `C:\LogtailData\users\` directory and create an empty file named `<uid>`.

If the specified directory contains a file named after the ID of the Alibaba Cloud account to which the project belongs, the user identifier is configured correctly.

Check the machine group identifier: If you are using a custom identifier machine group, check whether the user_defined_id file exists in the specified directory. If it exists, check whether the content of the file is consistent with the custom identifier configured for the machine group.

System	Specified directory	Solution
Linux	`/etc/ilogtail/user_defined_id`	`# Configure a custom identifier, manually create the directory if it does not exist echo "user-defined-1" > /etc/ilogtail/user_defined_id`
Windows	`C:\LogtailData\user_defined_id`	Create a `user_defined_id` file in the `C:\LogtailData` directory and write the custom identifier in it. (Manually create the directory if it does not exist)

If both the user identifier and machine group identifier are configured correctly, see Troubleshooting for LoongCollector (Logtail) machine group issues for further troubleshooting.

Confirm that the LoongCollector (Logtail) collection configuration has been applied to the machine group: Even if the LoongCollector (Logtail) collection configuration has been created, if it has not been applied to the machine group, logs still cannot be collected.
1. Go to the Resources > Machine Groups page, click the target machine group name, and go to the Machine Group Configuration page.
2. On the page, check Manage Configurations. The left side shows All Logtail Configurations, and the right side shows Applied Logtail Configurations. If the target LoongCollector (Logtail) collection configuration has been moved to the right side (applied area), it indicates that the configuration has been successfully applied to the target machine group.
3. If the target LoongCollector (Logtail) collection configuration has not been moved to the right side (applied area), click Modify, select the target LoongCollector (Logtail) configuration name in the All Logtail Configurations list on the left, click to move it to the right side (applied area), and then click Save.
View collection error information: If the above steps are all normal but logs still cannot be collected, it may be due to configuration errors or log format mismatches.
1. On the Logtail Configurations page, click the name of the LoongCollector (Logtail) configuration with collection issues, and on the Log Collection Errors tab, click Time Range to set the query time.
2. In the Collection Exception Monitoring > Full Error Information section, check the alert type of the error logs and find the corresponding solution in Common error types of data collection.

More information

Global configuration parameter description

Configuration item	Description
Configuration Name	The name of the LoongCollector (Logtail) configuration, which must be unique within its project. After creation, the name cannot be modified.
Log Topic Type	Select the method to generate log topics. Options include Machine Group Topic, File Path Extraction, and Custom.
Advanced Parameters	Other optional advanced parameters related to global configuration. For more information, see Create a LoongCollector (Logtail) pipeline configuration.

Input configuration parameter description

Configuration item	Description
File Path	Set the log directory and file name based on the location of logs on the host (such as an ECS instance): Both directory names and file names support exact mode and wildcard mode. For file name rules, see Wildcard matching. When you configure this parameter, you can use only asterisks () or question marks (?) as wildcard characters. Simple Log Service scans all levels of the specified directory to find the log files that match specified conditions. For example: `/apsara/nuwa//.log` indicates files with the .log extension in the `/apsara/nuwa` directory (including its recursive subdirectories). `/var/logs/app_//.log` indicates files with the `.log` extension in all directories that match the `app_` format under the `/var/logs` directory (including their recursive subdirectories). `/var/log/nginx//access` indicates files that start with `access` in the `/var/log/nginx` directory (including its recursive subdirectories).
Maximum Directory Monitoring Depth	Set the maximum depth of log directories to be monitored, which is the maximum directory depth that the wildcard `` in the File Path** can match. A value of 0 specifies that only the log file directory that you specify is monitored.
File Encoding Format	Select the format in which the log files are encoded.
First Collection Size	Specify the size of data that Logtail can collect from a log file the first time Logtail collects logs from the file. The default value of First Collection Size is 1024. Unit: KB. If the file size is less than 1,024 KB during the first collection, Logtail collects the file from the beginning. If the file size is greater than 1,024 KB, Logtail collects the last 1,024 KB of data in the file. You can modify the First Collection Size here. Valid values: 0 to 10485760. Unit: KB.
Collection Blacklist	After you turn on the Collection Blacklist switch, you can configure a blacklist to ignore specified directories or files during collection. You can specify exact directories and file names. You can also use wildcard characters to specify directories and file names. When you configure this parameter, you can use only asterisks () or question marks (?) as wildcard characters. Important* If you use wildcards in the File Path configuration but need to filter out some paths, you need to fill in the corresponding full path in the Collection Blacklist to ensure that the blacklist configuration takes effect. For example, if you configure File Path as `/home/admin/app/log/.log` but want to filter all subdirectories under the `/home/admin/app1` directory, you need to select Directory Blacklist* and configure the directory as `/home/admin/app1/`. If you configure it as `/home/admin/app1`, the blacklist will not take effect. When a blacklist is in use, computational overhead is generated. We recommend that you add up to 10 entries to the blacklist. Directory paths cannot end with a forward slash (/). For example, if you set the path to `/home/admin/dir1/`, the directory blacklist will not take effect. The following types of blacklists are supported: File Path Blacklist, File Blacklist, and Directory Blacklist. File path blacklist If you select File Path Blacklist and configure the path as `/home/admin/private.log`, all files in the `/home/admin/` directory that start with private and end with .log are ignored during collection. If you select File Path Blacklist* and configure the path as `/home/admin/private/_inner.log`, all files that end with _inner.log in directories that start with private under the `/home/admin/` directory are ignored during collection. For example, the `/home/admin/private/app_inner.log` file is ignored, while the `/home/admin/private/app.log` file is collected. File blacklist If you select File Blacklist and configure the file name as `app_inner.log`, all files named `app_inner.log` are ignored during collection. Directory blacklist If you select Directory Blacklist and configure the directory as `/home/admin/dir1`, all files in the `/home/admin/dir1` directory are ignored during collection. If you select Directory Blacklist and configure the directory as `/home/admin/dir`, all files in subdirectories that start with dir under the `/home/admin/` directory are ignored during collection. If you select Directory Blacklist* and configure the directory as `/home/admin/*/dir`, all files in second-level subdirectories named dir under the `/home/admin/` directory are ignored during collection. For example, files in the `/home/admin/a/dir` directory are ignored, while files in the `/home/admin/a/b/dir` directory are collected.
Allow File to Be Collected Multiple Times	By default, a log file can only match one LoongCollector (Logtail) configuration. If you need to collect a file multiple times, you need to turn on the Allow File To Be Collected For Multiple Times switch.
Advanced Parameters	Other optional advanced parameters related to the file input plugin. For more information, see Create a LoongCollector (Logtail) pipeline configuration.

Processing configuration parameter description

Configuration item	Description
Sample Log	Enter a sample log that is collected from an actual scenario. The sample log can help you configure parameters that are related to log processing with ease. You can enter multiple sample logs. The total length of the logs cannot exceed 1,500 characters. `[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)`
Multi-line Mode	Specify the type of multi-line logs. A multi-line log spans multiple consecutive lines. You can configure this parameter to identify each multi-line log in a log file. Custom: Distinguish each log using the First Line Regular Expression. Multi-line JSON: Each JSON object is expanded into multiple lines, for example: `{ "name": "John Doe", "age": 30, "address": { "city": "New York", "country": "USA" } }` Processing Method If Splitting Fails: `Exception in thread "main" java.lang.NullPointerException at com.example.MyClass.methodA(MyClass.java:12) at com.example.MyClass.methodB(MyClass.java:34) at com.example.MyClass.main(MyClass.java:½0)` For the preceding sample log, Simple Log Service can do the following when it fails to split the log: Discard: Directly discard this log segment. Retain Single Line: Retain each line of log text as a separate log, resulting in a total of four logs.
Processing Mode	Processing Plugin Combination, including Native Plugins and Extended Plugins. For more information about processing plugins, see Overview of processing plugins. Important You are subject to the limits of processing plugins. For more information, see the on-screen instructions in the Simple Log Service console. Logtail V2.0: You can arbitrarily combine native processing plugins. You can combine native processing plugins and extended processing plugins. Make sure that extended processing plugins are added after native processing plugins. Logtail earlier than V2.0: You cannot add native plugins and extended plugins at the same time. You can use native plugins only to collect text logs. When you add native plugins, take note of the following items: You must add one of the following Logtail plugins for data processing as the first plugin: Data Parsing (Regex Mode), Data Parsing (Delimiter Mode), Data Parsing (JSON Mode), Data Parsing (NGINX Mode), Data Parsing (Apache Mode), and Data Parsing (IIS Mode). After you add the first plugin, you can add a Time Parsing plugin, a Data Filtering plugin, and multiple Data Masking plugins. For the Retain Original Field If Parsing Fails and Retain Original Field If Parsing Succeeds parameters, only the following combinations are valid. Other combinations are invalid. Upload logs that are parsed: Upload logs that are obtained after parsing if the parsing is successful, and upload raw logs if the parsing fails: Upload logs that are obtained after parsing and add a raw log field to the logs if the parsing is successful, and upload raw logs if the parsing fails. For example, if the original log `"content": "{"request_method":"GET", "request_time":"200"}"` is successfully parsed, an additional field is added to the parsed log. The field name is Renamed Original Field (if not filled, the default is the original field name), and the field value is the original log `{"request_method":"GET", "request_time":"200"}`.

Preparations

Automatic installation

Manual installation

Basic collection configuration

Simple single-line

Regular expression parsing

Delimiter parsing

Standard JSON parsing

Nested JSON parsing

JSON array parsing

Nginx log parsing

IIS log parsing

Apache log parsing

Advanced collection configuration

Configure multi-line log collection

Configure log topic type

Allow file to be collected multiple times

Configure collection blacklist

Log data masking

Log content filtering

Specify log time

Log compression

Troubleshooting text log collection issues

More information

Global configuration parameter description

Input configuration parameter description

File path blacklist

File blacklist

Directory blacklist

Processing configuration parameter description