Install Logtail in DaemonSet mode to collect text logs from a self-managed Kubernetes cluster - Simple Log Service

Simple Log Service allows you to install Logtail in DaemonSet or Sidecar mode and use Logtail to collect text logs from a Kubernetes cluster. For more information about the differences between the modes, see Install Logtail to collect logs from a Kubernetes cluster. This topic describes how to install Logtail in DaemonSet mode and use Logtail to collect text logs from a self-managed Kubernetes cluster.

Prerequisites

Simple Log Service is activated.
A cluster of Kubernetes 1.6 or later is available.
The kubectl command-line tool is installed in your Kubernetes cluster.

Usage notes

You can collect stdout and stderr from a Kubernetes cluster. For more information, see Install Logtail in DaemonSet mode to collect stdout and stderr from a self-managed Kubernetes cluster (old version).
You can collect text logs from a Container Service for Kubernetes (ACK) cluster. For more information, see Install Logtail in DaemonSet mode to collect text logs from an ACK cluster.

Solution overview

You can perform the following steps to install Logtail in DaemonSet mode and use Logtail to collect text logs from a self-managed Kubernetes cluster:

Install Logtail components: Install Logtail components in your Kubernetes cluster. The Logtail components include DaemonSet logtail-ds, ConfigMap alibaba-log-configuration, and Deployment alibaba-log-controller. After the Logtail components are installed, Simple Log Service can deliver a Logtail configuration to Logtail and use Logtail to collect logs from the Kubernetes cluster.
Create a Logtail configuration: After a Logtail configuration is created, Logtail collects incremental logs based on the Logtail configuration, and processes and uploads the collected logs to the created Logstore. You can create a Logtail configuration by using CRD - AliyunPipelineConfig or CRD - AliyunLogConfig, or in the Simple Log Service console. CRD - AliyunPipelineConfig is recommended.
Query and analyze logs: After a Logtail configuration is created, Simple Log Service automatically creates a Logstore to store the collected logs. You can view the logs in the Logstore.

Step 1: Install Logtail

Important

The alibaba-log-controller component is available only in Kubernetes 1.6 and later.
Make sure that the kubectl command-line tool is installed on the machine on which you want to run commands.

Log on to the Simple Log Service console. Create a project. For more information, see Create a project.
We recommend that you create a project whose name starts with k8s-log-. Example: k8s-log-${your_k8s_cluster_id}.

Log on to your Kubernetes cluster and run the following commands to install Logtail and the required dependent components:

Download and decompress the installation package:

Chinese mainland

wget https://logtail-release-cn-hangzhou.oss-cn-hangzhou.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Outside the Chinese mainland

wget https://logtail-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/kubernetes/0.5.3/alibaba-cloud-log-all.tgz; tar xvf alibaba-cloud-log-all.tgz; chmod 744 ./alibaba-cloud-log-all/k8s-custom-install.sh

Modify the ./alibaba-cloud-log-all/values.yaml configuration file:

# ===================== Required settings =====================
# The name of the project. 
SlsProjectName: 
# The ID of the region where the project resides. 
Region: 
# The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks (""). 
AliUid: "11**99"
# The AccessKey ID and AccessKey secret of the Alibaba Cloud account or Resource Access Management (RAM) user. The RAM user must have the AliyunLogFullAccess permission. 
AccessKeyID: 
AccessKeySercret: 
# The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-). 
ClusterID: 
# ==========================================================
# Specifies whether to enable metric collection for the related components. Valid values: true and false. Default value: true. 
SlsMonitoring: true
# The network type. Valid values: Internet and Intranet. Default value: Internet. 
Net: Internet
# Specifies whether the container runtime of the cluster is containerd. Valid values: true and false. Default value: false. 
SLS_CONTAINERD_USED: true

The following table describes the parameters that are included in the preceding command. You can configure the parameters based on your business requirements.

Parameter	Description
`SlsProjectName`	The name of the created project.
`Region`	The ID of the region where the project resides. For example, the ID of the China (Hangzhou) region is `cn-hangzhou`. For more information, see Supported regions.
`AliUid`	The ID of the Alibaba Cloud account to which the project belongs. You must enclose the ID in double quotation marks (""). Example: `AliUid: "11**99"`. For more information, see Obtain the ID of the Alibaba Cloud account to which your Simple Log Service project belongs.
`AccessKeyID`	The AccessKey ID of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.
`AccessKeySercret`	The AccessKey secret of the Alibaba Cloud account to which the project belongs. We recommend that you use the AccessKey pair of a RAM user and attach the AliyunLogFullAccess policy to the RAM user. For more information, see Create a RAM user and authorize the RAM user to access Simple Log Service.
`ClusterID`	The custom ID of the cluster. The ID can contain only letters, digits, and hyphens (-). This parameter corresponds to the `${your_k8s_cluster_id}` variable in the following operations. Important Do not specify the same cluster ID for different Kubernetes clusters.
`SlsMonitoring`	Specifies whether to enable metric collection for the related components. Valid values: true (default) false
`Net`	The network type. Valid values: Internet (default) Intranet
`SLS_CONTAINERD_USED`	Specifies whether the container runtime of the cluster is containerd. Valid values: true false (default) Important If you do not enable the parameter settings for a self-managed Kubernetes cluster whose container runtime is containerd, Logtail may fail to collect logs.

Install Logtail and the required components.
Note
Run the command echo "$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m)" to find out your host's OS-architecture. k8s-custom-install.sh supports the following OS-architectures: linux-386, linux-amd64, linux-arm, linux-arm64, linux-ppc64le, linux-s390x, and darwin-amd64. If you have other requirements, submit a ticket.
```
bash k8s-custom-install.sh; kubectl apply -R -f result
```

The following table describes the Simple Log Service resources that are automatically created after you install Logtail and the required components.

Important

If you install Logtail and the required dependent components in a self-managed Kubernetes cluster, Logtail is automatically granted the privileged permissions. This prevents the container text file busy error that may occur when other pods are deleted. For more information, see Bug 1468249, Bug 1441737, and Issue 34538.

Resource type	Resource name	Purpose	Example
Machine group	k8s-group-`<YOUR_CLUSTER_ID>`	The machine group of logtail-daemonset, which is used in log collection scenarios.	k8s-group-my-cluster-123
	k8s-group-`<YOUR_CLUSTER_ID>`-statefulset	The machine group of logtail-statefulset, which is used in metric collection scenarios.	k8s-group-my-cluster-123-statefulset
	k8s-group-`<YOUR_CLUSTER_ID>`-singleton	The machine group of a single instance, which is used to create a LoongCollector configuration for the single instance.	k8s-group-my-cluster-123-singleton
Logstore	config-operation-log	This Logstore is used to store the logs of the alibaba-log-controller component in the Logtail component. We recommend that you do not create a Logtail configuration for this Logstore. You can delete this Logstore. After the Logstore is deleted, the system no longer collects the logs of the alibaba-log-controller component. The billing standards for this Logstore are the same as those for regular Logstores. For more information, see Billable items in the pay-as-you-go billing method.	None

Step 2: Create a Logtail configuration

The following table describes the methods that you can use to create a Logtail configuration. We recommend that you use only one method to manage a Logtail configuration.

Configuration method	Configuration description	Scenario
CRD - AliyunPipelineConfig (recommended)	You can use the AliyunPipelineConfig CRD, which is a Kubernetes CRD, to manage a Logtail configuration.	This method is suitable for scenarios in which complex collection and processing, and version consistency between the Logtail configuration and the Logtail container in a self-managed Kubernetes cluster are required. Note The version of Logtail components must be later than 0.5.1. For more information about Logtail updates, see Update Logtail.
Simple Log Service console	You can manage a Logtail configuration in the GUI based on quick deployment and configuration.	This method is suitable for scenarios in which simple settings are required to manage a Logtail configuration. If you use this method to manage a Logtail configuration, specific advanced features and custom settings cannot be used.
CRD - AliyunLogConfig	You can use the AliyunLogConfig CRD, which is an old version CRD, to manage a Logtail configuration.	This method is suitable for known scenarios in which Logtail configurations can be managed by using the old version CRD. You must gradually replace the AliyunLogConfig CRD with the AliyunPipelineConfig CRD to obtain better extensibility and stability. For more information about the differences between the CRD - AliyunPipelineConfig and CRD - AliyunLogConfig methods, see CRDs.

CRD - AliyunPipelineConfig (recommended)

To create a Logtail configuration, you need to only create a Custom Resource (CR) from the AliyunPipelineConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

If you create a Logtail configuration by creating a CR and you want to modify the Logtail configuration, you can only modify the CR. If you modify the Logtail configuration in the Simple Log Service console, the new settings are not synchronized to the CR.

Log on to your Kubernetes cluster.

Create a file named example-k8s-file.yaml.

You can use the configuration generator to generate a YAML script for your scenario, or manually write a YAML script based on the following example.

The following example YAML file collects the content of the test.LOG file in the /data/logs/app_1 directory of pods in the default namespace. The pods have the app: ^(.*test.*)$ label. The logs are collected in multi-line text mode and sent to the k8s-file Logstore (automatically created) in the k8s-log-test project. You need to modify the following parameters in the YAML file based on your business requirements:

project. Example: k8s-log-test.
Log on to the Simple Log Service console to check the name of the project that is created when you install the Logtail component. The name is in the format of k8s-log-<YOUR_CLUSTER_ID>.
IncludeK8sLabel. Example: app: ^(.*test.*)$. This parameter specifies the label that is used to filter pods. In this example, the system collects logs from pods whose app label value contains test.
Note
If you want to collect logs from all pods whose names contain test in the cluster, you can replace IncludeK8sLabel with K8sContainerRegex and use a wildcard character to specify the value. Example: K8sContainerRegex: ^(.test.)$.
FilePaths. Example: /data/logs/app_1/**/test.LOG. For more information, see Container file path mapping.
Endpoint and Region. Example: cn-hangzhou.log.aliyuncs.com and cn-hangzhou.

For information about the config field in the YAML file, including the supported input, output, and processing plug-ins and container filtering methods, see PipelineConfig. For information about all parameters in the YAML file, see CR parameters.

apiVersion: telemetry.alibabacloud.com/v1alpha1
kind: ClusterAliyunPipelineConfig
metadata:
  # The name of the resource. The name must be unique in the current Kubernetes cluster. This name is also used as the name of the Logtail configuration. If a Logtail configuration with the same name already exists, the Logtail configuration does not take effect.
  name: example-k8s-file
spec:
  # Specify the destination project
  project:
    name: k8s-log-test
  logstores:
    # Create a Logstore named k8s-file
    - name: k8s-file
  # Define the Logtail configuration
  config:
    # Specify the sample log. You can leave this parameter empty.
    sample: |
      2024-06-19 16:35:00 INFO test log
      line-1
      line-2
      end
    # Configure the input plug-ins
    inputs:
      # Use the input_file plug-in to collect multi-line text logs from containers
      - Type: input_file
        # The log file path in the containers
        FilePaths:
          - /data/logs/app_1/**/test.LOG
        # Enable the container discovery feature.
        EnableContainerDiscovery: true
        # Add conditions to filter containers. Multiple conditions are evaluated by using a logical AND.
        CollectingContainersMeta: true
        ContainerFilters:
          # Specify the namespace of the pods to which the required containers belong. Regular expression matching is supported.
          K8sNamespaceRegex: default
          # Specify the name of the required containers. Regular expression matching is supported.
          IncludeK8sLabel:
            app: ^(.*app.*)$
        # Enable multi-line log collection. Delete this configuration for single-line log collection
        Multiline:
          # Specify the custom mode to match the beginning of the first line of a log based on a regular expression.
          Mode: custom
          # Specify the regular expression that is used to match the beginning of the first line of a log.
          StartPattern: '\d+-\d+-\d+\s\d+:\d+:\d+'
    # Configure the Logtail processing plug-ins
    processors:
      # Use the processor_parse_regex_native plug-in to parse logs based on the specified regular expression.
      - Type: processor_parse_regex_native
        # Specify the name of the input field.
        SourceKey: content
        # Specify the regular expression that is used for the parsing. Use capturing groups to extract fields.
        Regex: (\d+-\d+-\d+\s\S+)(.*)
        # Specify the fields that you want to extract.
        Keys: ["time", "detail"]
    # Configure the output plug-ins
    flushers:
      # Use the flusher_sls plug-in to send logs to a specific Logstore.
      - Type: flusher_sls
        # Make sure that the Logstore exists.
        Logstore: k8s-file
        # Make sure that the endpoint is valid.
        Endpoint: cn-beijing.log.aliyuncs.com
        Region: cn-beijing
        TelemetryType: logs

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you create. Then, Logtail starts to collect container text logs to Simple Log Service.

CRD - AliyunLogConfig

To create a Logtail configuration, you need to only create a CR from the AliyunLogConfig CRD. After the CR is created, the Logtail configuration takes effect.

Important

Log on to your Kubernetes cluster.

Create a file named example-k8s-file.yaml.

This YAML script creates a Logtail configuration named example-k8s-file. The Logtail configuration collects the content of the test.LOG file in the /data/logs/app_1 directory of all containers whose names start with app in the cluster. The logs are collected in simple text mode and sent to the k8s-file Logstore (automatically created) in the k8s-log-<YOUR_CLUSTER_ID> project.

You need to modify the file path in the container based on your business requirements. For more information, see Container file path mapping.

logPath: the path from which logs are collected. Example: /data/logs/app_1.
filePattern: the name of the log file from which logs are collected. Example: test.LOG.

For information about the logtailConfig field in the YAML file, including the supported input, output, and processing plug-ins and container filtering methods, see AliyunLogConfigDetail. For information about all parameters in the YAML file, see CR parameters.

apiVersion: log.alibabacloud.com/v1alpha1
kind: AliyunLogConfig
metadata:
  # The name of the resource. The name must be unique in the current Kubernetes cluster.
  name: example-k8s-file
  # The namespace of the resource.
  namespace: kube-system
spec:
  # Specify the name of the project. If you leave this parameter empty, the project named k8s-log-<your_cluster_id> is used.
  # project: k8s-log-test
  # The name of the Logstore. If the Logstore that you specify does not exist, Simple Log Service automatically creates a Logstore.
  logstore: k8s-file
  # Configure the Logtail configuration.
  logtailConfig:
    # The type of the data source. If you want to collect text logs, set the value to file.
    inputType: file
    # The name of the Logtail configuration. The name must be the same as the value of metadata.name.
    configName: example-k8s-file
    inputDetail:
      # Configure Logtail to collect text logs in simple mode.
      logType: common_reg_log
      # The path of the log file.
      logPath: /data/logs/app_1
      # The name of the log file. You can use wildcard characters such as asterisks (*) and question marks (?) when you specify the log file name. Example: log_*.log.
      filePattern: test.LOG
      # If you want to collect container text logs, you must set dockerFile to true.
      dockerFile: true
      # Enable multi-line log collection. Delete this configuration for single-line log collection
      # The regular expression that is used to match the beginning of the first line of a log
      logBeginRegex: \d+-\d+-\d+.*
      #The conditions that are used to filter containers.
      advanced:
        k8s:
          K8sPodRegex: '^(app.*)$'

Run the kubectl apply -f example.yaml command. Replace example.yaml with the name of the YAML file that you create. Then, Logtail starts to collect container text logs to Simple Log Service.

Simple Log Service console

Note

This method is suitable for scenarios in which simple settings are required to manage a Logtail configuration without the need to log on to a Kubernetes cluster. You cannot batch create Logtail configurations by using this method.

Log on to the Simple Log Service console.
In the Projects section, click the project that you use to install Logtail components. Example: k8s-log-<your_cluster_id>. On the page that appears, click the Logstore that you want to manage and then click Logtail Configurations. On the Logtail Configuration page, click Add Logtail Configuration. In the Quick Data Import dialog box, find the Kubernetes - File card and click Integrate Now.
In the Machine Group Configurations step of the Import Data wizard, set the Scenario parameter to Kubernetes Clusters and the Deployment Method parameter to ACK Daemonset, select the k8s-group-${your_k8s_cluster_id} machine group and click the > icon to move the machine group from the Source Machine Group section to the Applied Server Groups section, and then click Next.
Create a Logtail configuration. In the Logtail Configuration step of the Import Data wizard, configure the required parameters and click Next. Approximately 1 minute is required to create a Logtail configuration.
The following list describes the main parameter settings. For more information, see Create a Logtail configuration.
- Global Configurations
  In the Global Configurations section, configure the Configuration Name parameter.
- Input Configurations
  - Logtail Deployment Mode: The Logtail deployment mode. Select DaemonSet.
  - File Path Type: The type of the file path that you want to use to collect logs. Valid values: Path in Container and Host Path. If a hostPath volume is mounted to a container and you want to collect logs from files based on the mapped file path on the container host, set this parameter to Host Path. In other scenarios, set this parameter to Path in Container.
  - File Path: The directory used to store the logs that you want to collect. The file path must start with a forward slash (/). In this example, set the File Path parameter to /data/wwwlogs/main/**/*.Log, which indicates that logs are collected from files suffixed with .Log in the /data/wwwlogs/main directory. You can configure the Maximum Directory Monitoring Depth parameter to specify the maximum number of levels of the subdirectories that you want to monitor. The subdirectories are in the log file directory that you specify. This parameter specifies the levels of the subdirectories that the ** wildcard characters can match in the value of the File Path parameter. The value 0 specifies that only the specified log file directory is monitored.
Create indexes and preview data. By default, full-text indexing is enabled for Simple Log Service. In this case, full-text indexes are created. You can query all fields in logs based on the indexes. You can also manually create indexes for fields based on the collected logs. Alternatively, you can click Automatic Index Generation. Then, Simple Log Service generates indexes for fields. You can query data in an accurate manner based on field indexes. This reduces indexing costs and improves query efficiency. For more information, see Create indexes.

Step 3: Query and analyze logs

Log on to the Simple Log Service console.
In the Projects section, click the target project to go to the project details page.
Click the icon to the right of the target Logstore and select Search & Analysis to view the logs from the Kubernetes cluster.

Default fields in container text logs

The following table describe the fields that are uploaded by default for each container text log.

Field name	Description
__tag__:__hostname__	The name of the container host.
__tag__:__path__	The log file path in the container.
__tag__:_container_ip_	The IP address of the container.
__tag__:_image_name_	The name of the image that is used by the container.
__tag__:_pod_name_	The name of the pod.
__tag__:_namespace_	The namespace to which the pod belongs.
__tag__:_pod_uid_	The unique identifier (UID) of the pod.

References

After you collect logs, you can use the query and analysis feature of Simple Log Service to understand the logs. For more information, see Quick start of query and analysis.
After you collect logs, you can use the visualization feature of Simple Log Service to visually analyze the logs. For more information, see Quickly create a dashboard.
After you collect logs, you can use the alerting feature of Simple Log Service to automatically receive notifications about exceptions in the logs. For more information, see Quickly configure log-based alerting.
Simple Log Service collects only incremental logs. For information about how to collect historical log files, see Import historical log files.
Troubleshooting methods for container log collection:
- Common error types of data collection by Simple Log Service.
- Check whether error messages are displayed in the console. For more information, see How do I view Logtail collection error information?.
- If no error messages are displayed in the console, check the heartbeat of the machine group and the Logtail configuration. For more information, see How do I troubleshoot container log collection exceptions?.