Collect container logs (standard output and files) from a cluster by using the console - Simple Log Service

In a Kubernetes environment, managing scattered container logs can be difficult, which results in inefficient troubleshooting and high O&M costs. You can deploy the Simple Log Service (SLS) LoongCollector in DaemonSet mode and configure log collection in the SLS console to enable unified log collection and structured processing. This approach improves the efficiency of log retrieval, problem diagnosis, and observability analysis.

Scope

Runtime environment:
- Supports Container Service for Kubernetes (ACK) (Managed and Dedicated editions) and self-managed Kubernetes clusters.
- Kubernetes version 1.10.0 or later that supports Mount propagation: HostToContainer.
- Container runtime (Docker and Containerd only)
  - Docker:
    - Requires access to docker.sock.
    - Standard output collection supports only the JSON log driver.
    - Supports only the overlay and overlay2 storage drivers. For other storage driver types, you must manually mount the log directory.
  - Containerd: Requires access to containerd.sock.
Resource requirements: LoongCollector (Logtail) runs with high priority as system-cluster-critical. Do not deploy it if cluster resources are insufficient, because this may evict existing pods on the node.
- CPU: Reserve at least 0.1 Core.
- Memory: Reserve at least 150 MB for the collection component and at least 100 MB for the controller component.
- Actual usage depends on the collection rate, the number of monitored directories and files, and the level of send congestion. Ensure that the actual usage remains below 80% of the limit.

Permission requirements: The Alibaba Cloud account or RAM user used for deployment must have the AliyunLogFullAccess permission.
To create custom policies, you can refer to the AliyunCSManagedLogRolePolicy system policy. Copy the permissions included in the policy and grant them to the target RAM user or role to configure fine-grained permissions.

Collection configuration workflow

Install LoongCollector: Deploy LoongCollector in DaemonSet mode. This ensures that a collection container runs on each node in the cluster to collect logs from all containers on that node.
For the Sidecar pattern, see Collect text logs from a cluster (Sidecar).
Create a Logstore: A Logstore is a storage unit for log data. You can create multiple Logstores in a project.
Create a collection configuration:
This topic describes only common configuration parameters and core options for typical use cases. For a complete list of configuration parameters and their descriptions, see the More information section.
- Minimal configuration (Required): Establish a data collection tunnel from the cluster to the Simple Log Service project.
- Common processing configurations (Optional): Configure common data processing plugins to parse raw logs into structured data. For example, you can use regular expressions or delimiters for parsing, or perform data masking and filtering.
  This topic describes only native processing plugins that cover common log processing scenarios. For more features, see Extended processing plugins.
- Other advanced configurations (Optional): Collect multiline text logs and enrich log tags for more fine-grained collection.

Install LoongCollector (Logtail)

LoongCollector is a new-generation log collection agent from SLS and an upgraded version of Logtail. LoongCollector and Logtail cannot coexist. To install Logtail, see Install, run, upgrade, and uninstall Logtail.

This topic describes only the basic steps to install LoongCollector. For more information about the parameters, see Install LoongCollector (Kubernetes). If you have installed LoongCollector or Logtail, you can skip this step and create a Logstore to store the collected logs.

ACK cluster

You can install LoongCollector from the Container Service for Kubernetes console. By default, logs are sent to a Simple Log Service project under the current Alibaba Cloud account.

Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster.
In the navigation pane on the left, click Add-ons.

On the Logs And Monitoring tab, find loongcollector and click Install.

Note

For a new cluster, on the Component Configurations page, select Enable Log Service. Then, you can Create Project or Use Existing Project.

After the installation is complete, SLS automatically creates related resources in the region where the ACK cluster resides. You can log on to the Simple Log Service console to view them.

Resource type	Resource name	Function
Project	`k8s-log-${cluster_id}`	A resource management unit that isolates logs of different services. To create a Project for more flexible log resource management, see Create a Project.
Machine group	`k8s-group-${cluster_id}`	A collection of log collection nodes.
Logstore	`config-operation-log` Important Do not delete this Logstore.	Stores logs of the loongcollector-operator component. Its billing method is the same as that of a regular Logstore. For more information, see Billable items of the pay-by-ingested-data mode. We recommend that you do not create collection configurations in this Logstore.

Self-managed cluster

Connect to the Kubernetes cluster. Select the command for your region to download LoongCollector and its dependent components:

Regions in China:

wget https://aliyun-observability-release-cn-shanghai.oss-cn-shanghai.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

Regions outside China:

wget https://aliyun-observability-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

Go to the loongcollector-custom-k8s-package directory and modify the ./loongcollector/values.yaml configuration file.

# ===================== Required Information ===================== # The name of the project where logs from this cluster will be collected, for example, k8s-log-custom-sd89ehdq projectName: "" # The region of the project, for example, Shanghai: cn-shanghai region: "" # The UID of the Alibaba Cloud account that owns the project. Enclose it in quotation marks, for example, "123456789" aliUid: "" # The network to use. Optional parameters: Internet, Intranet. The default is Internet. net: Internet # The AccessKey ID and AccessKey secret of the Alibaba Cloud account or RAM user. The account must have the AliyunLogFullAccess system policy permission. accessKeyID: "" accessKeySecret: "" # A custom cluster ID. The name can contain only uppercase letters, lowercase letters, digits, and hyphens (-). clusterID: ""

In the loongcollector-custom-k8s-package directory, run the following command to install LoongCollector and other dependent components:
```
bash k8s-custom-install.sh install
```

After the installation is complete, check the running status of the components.

If a pod fails to start, check whether the values.yaml configuration is correct and whether the relevant images were pulled successfully.

# Check the pod status kubectl get po -n kube-system | grep loongcollector-ds

SLS also automatically creates the following resources. You can log on to the Simple Log Service console to view them.

Resource type	Resource name	Function
Project	The value of `projectName` defined in the values.yaml file	A resource management unit that isolates logs of different services. To create a Project for more flexible log resource management, see Create a Project.
Machine group	`k8s-group-${cluster_id}`	A collection of log collection nodes.
Logstore	`config-operation-log` Important Do not delete this Logstore.	Stores logs of the loongcollector-operator component. Its billing method is the same as that of a regular Logstore. For more information, see Pay-by-data-written billable items. We recommend that you do not create collection configurations in this Logstore.

Create a Logstore

If you have already created a Logstore, you can skip this step and proceed to create a collection configuration.

SLS supports two billing methods: pay-by-ingested-data and pay-by-feature. When you create a Logstore, you can choose the appropriate billing method based on your specific scenario.

Log on to the Simple Log Service console and click the name of the target project.
In the navigation pane on the left, choose Log Storage, and click +.
On the Create Logstore page, complete the following core configurations:
- Logstore Name: Set a name that is unique within the project. This name cannot be changed after creation.
- Logstore Type: Choose Standard or Query based on a comparison of their specifications.
- Billing Mode:
  - Pay-By-Feature: Billed independently for resources such as storage, indexing, and read/write operations. This method is suitable for small-scale use cases or when feature usage is uncertain.
  - Pay-By-Ingested-Data: Billed only by the amount of raw data written. It provides a 30-day free storage period and free features such as data transformation and delivery. The cost model is simple and suitable for use cases where the storage period is close to 30 days or the data processing pipeline is complex.
- Data Retention Period: Set the number of days to retain logs. The value ranges from 1 to 3,650 days. A value of 3,650 days means permanent storage. The default is 30 days.
Keep the default settings for other configurations and click OK. For more information about other configurations, see Manage a Logstore.

Minimal configuration

After you install LoongCollector and create a Logstore, you can create a collection configuration. This section describes two basic scenarios: container standard output and cluster text logs. These scenarios upload raw logs to the Logstore without parsing or processing, which makes them suitable for quickly establishing a data channel.

On the Logstore page:

Click before the name of the target Logstore.
Click the after Data Collection.
Select a quick integration template based on the log source. Logs within a container have two sources:
- Standard output (stdout and stderr): Log content printed by the container program to the console.
- Text log file: A log file written to a specified path inside the container.

Collect container standard output (stdout)

In the Quick Data Import dialog box, search for the template: K8s-Standard Output-New, then click Integrate Now.
Configure The Machine Group, and then click Next:
- Set Scenario to Kubernetes Clusters.
- Set Deployment Mode to ACK Daemonset or Self-managed Cluster In Daemonset Mode.
- In the Source Machine Group list, add the system-created machine group k8s-group-${cluster_id} to the Applied Machine Groups list on the right.
Configure Logtail, then click Next:
- Global Configurations: Enter a configuration name.
- Input Configurations: Enable the Standard Output or Standard Error switch. Both are enabled by default.
- Processor Configurations:
  - (Optional) Common processing configurations: Parse raw logs into structured data using methods such as regular expressions or delimiters, or perform data masking and filtering.
  - (Optional) Other advanced configurations: Collect multiline text logs and enrich log tags to meet more fine-grained collection requirements.
Query And Analysis Configuration: Preview the data, click Automatic Index Generation. Simple Log Service will generate a field index. Click Next to complete the configuration.

Raw log:

10.244.0.1 - - [01/Aug/2025:10:25:30 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.88.1"

Collected raw standard output (stdout):

10.244.0.1 - - [01/Aug/2025:10:25:30 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.88.1"

Collect cluster text logs

In the Quick Data Import dialog box, search for the Kubernetes-File template, and click Integrate Now.
Configure The Machine Group, and then click Next:
- Set Scenario to Kubernetes Clusters.
- Set Deployment Mode to ACK Daemonset or Self-managed Cluster In Daemonset Mode.
- In the Source Machine Group list, add the system-created machine group k8s-group-${cluster_id} to the Applied Machine Groups list on the right.
Complete the Logtail Configuration, and then click Next:
- Global Configurations: Enter a configuration name.
- Input Configurations:
  - Set Logtail Deployment Mode to Daemonset.
  - File Path Type:
    - Path In Container: Collect log files from within the container.
    - Host Path: Collect logs from local services on the host.
  - File Path: The absolute path for log collection. On Linux, it must start with "/".
    Example: /data/mylogs/**/*.log indicates all files with the .log extension in the /data/mylogs directory and its subdirectories.
  - Maximum Directory Monitoring Depth: The maximum directory depth matched by the wildcard character ** in the File Path. The default is 0 (current level only), and the range is 0 to 1,000.
    If you set the depth to 0, you must configure the path to the specific directory where the files are located.
- Processor Configurations:
  - (Optional) Common processing configurations: Parse raw logs into structured data using methods such as regular expressions or delimiters, or perform data masking and filtering.
  - (Optional) Other advanced configurations: Collect multiline text logs and enrich log tags to meet more fine-grained collection requirements.
Query Analysis Configuration: Preview the data and click Automatic Index Generation. After SLS generates a field index, click Next to complete the configuration.

Raw log:

Aug 19 11:20:51 hostname-1 crond[2995]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

The entire raw log line is stored in the content field:

content: Aug 19 11:20:51 hostname-1 crond[2995]: (CRON) INFO (@reboot jobs will be run at computer's startup.)

Common processing configurations

After you complete the minimal configuration, in the Processing Configuration section of the Logtail Configuration page, you can add processing plugins to parse raw logs into structured data, or perform data masking and filtering. To add processing plugins to an existing collection configuration, you can follow these steps:

In the navigation pane on the left, choose Logstores and find the target Logstore.
Click before its name to expand the Logstore.
Click Logtail Configurations. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit.

This topic describes only common processing plugins that cover common log processing scenarios. For more features, see Extended processing plugins.

Important

For Logtail 2.0 and later, and for the LoongCollector component, follow these plugin combination rules:

Use native plugins first.
If native plugins cannot meet your needs, configure extended plugins after the native plugins.
Native plugins can be used only before extended plugins.

Structured configuration

Regular expression parsing

Use regular expressions to extract log fields and parse the log into key-value pairs.

Add Sample Log: Use a log sample from your actual use case. A log sample helps you configure log processing parameters and simplifies the configuration process.
Click Add Processor and choose Native Processor > Data Parsing (Regex Mode):
- Regular Expression: Used to match logs. You can generate it automatically or enter it manually:
  - Automatic generation:
    - Click Generate.
    - In the Log Sample, select the log content that you want to extract.
    - Click Generate Regular Expression.
  - Manual input: Manually Enter Regular Expression based on the log format.
  After you configure the expression, click Validate to test whether it correctly parses the log content.
- Extracted Field: Set the field names (keys) for the extracted log content (values).

Raw log:

127.0.0.1 - - [16/Aug/2024:14:37:52 +0800] "GET /wp-admin/admin-ajax.php?action=rest-nonce HTTP/1.1" 200 41 "http://www.example.com/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"

Custom regular expression parsing: Regular expression (\S+)\s-\s(\S+)\s\[([^]]+)]\s"(\w+)\s(\S+)\s([^"]+)"\s(\d+)\s(\d+)\s"([^"]+)"\s"([^"]+).*.

body_bytes_sent: 41 http_referer: http://www.example.com/wp-admin/post-new.php?post_type=page http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; ×64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0 remote_addr: 127.0.0.1 remote_user: - request_method: GET request_protocol: HTTP/1.1 request_uri: /wp-admin/admin-ajax.php?action=rest-nonce status: 200 time_local: 16/Aug/2024:14:37:52 +0800

Delimiter-based parsing

Use a delimiter to structure the log content and parse it into multiple key-value pairs. Both single-character and multi-character delimiters are supported.

Click Add Processor, and select Native Processor > Data Parsing (Delimiter Mode):

Delimiter: Specify the character used to split the log content.
Example: For a CSV file, select Custom and enter a comma (,).
Quote: If a field value contains the separator, you need to specify a quote to enclose the field to avoid incorrect splitting.
Extracted Field: Set the field name (key) for each column in the order of separation. The rules are as follows:
- Field names can contain only letters, digits, and underscores (_).
- Field names must start with a letter or an underscore (_).
- The maximum length is 128 bytes.

Raw log:

05/May/2025:13:30:28,10.10.*.*,"POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",200,18204,aliyun-sdk-java

Split fields by the specified character ,:

ip:10.10.*.* request:POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1 size:18204 status:200 time:05/May/2025:13:30:28 user_agent:aliyun-sdk-java

Standard JSON parsing

Structure an object-type JSON log and parse it into key-value pairs.

Click Add Processor, and select Native Processor > JSON Parsing:

Original Field: The default value is content. This field stores the raw log content to be parsed.
Keep the default settings for other configurations.

Raw Log:

{"url": "POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek********&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1", "ip": "10.200.98.220", "user-agent": "aliyun-sdk-java", "request": {"status": "200", "latency": "18204"}, "time": "05/Jan/2025:13:30:28"}

Standard JSON key-value pairs are automatically extracted:

ip: 10.200.98.220 request: {"status": "200", "latency" : "18204" } time: 05/Jan/2025:13:30:28 url: POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek******&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1 user-agent:aliyun-sdk-java

Nested JSON parsing

Parse a nested JSON log into key-value pairs by specifying the expansion depth.

Click Add Processor and select Extended Processor > Expand JSON Field:

Original Field: The source field to be expanded, for example, content.
JSON Expansion Depth: The expansion level of the JSON object. 0 means fully expanded (default), 1 means the current level, and so on.
Character To Concatenate Expanded Keys: The character used to concatenate field names during JSON expansion. The default is an underscore (_).
Name Prefix Of Expanded Keys: Specify the prefix for field names after JSON expansion.
Expand Array: Enable this option to expand an array into key-value pairs with indexes.
Example: {"k":["a","b"]} is expanded to {"k[0]":"a","k[1]":"b"}.
To rename the expanded fields (for example, from prefix_s_key_k1 to new_field_name), add a Rename Fields plugin afterward to complete the mapping.

Raw log:

{"s_key":{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}}

Expansion depth: 0, with the expansion depth used as a prefix.

0_s_key_k1_k2_k3_k41:41 0_s_key_k1_k2_k3_k4_k51:51 0_s_key_k1_k2_k3_k4_k52:52

Expansion depth: 1, with the expansion depth used as a prefix.

1_s_key:{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}

JSON array parsing

Use the json_extractfunction to extract JSON objects from a JSON array.

Set Processing Method to SPL:

SPL Statement: Use the json_extract function to extract JSON objects from a JSON array.
Example: Extract elements from the JSON array in the log field content and store the results in new fields json1 and json2.
```
* | extend json1 = json_extract(content, '$[0]'), json2 = json_extract(content, '$[1]')
```

Raw log:

[{"key1":"value1"},{"key2":"value2"}]

Extracted JSON array structure:

json1:{"key1":"value1"} json2:{"key2":"value2"}

NGINX log parsing

Structure the log content into multiple key-value pairs based on the definition in log_format. If the default content does not meet your needs, you can use a custom format.

Click Add Processor, and select Native Processor > NGINX Pattern Parsing:

NGINX Log Configuration: Copy the complete log_format definition from your NGINX server configuration file (usually located at /etc/nginx/nginx.conf) and paste it into this text box.
Example:
```
log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$request_time $request_length ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent"';
```
Important
The format definition must be identical to the format that generates the logs on the server. Otherwise, log parsing fails.

Raw log:

192.168.*.* - - [15/Apr/2025:16:40:00 +0800] "GET /nginx-logo.png HTTP/1.1" 0.000 514 200 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.*.* Safari/537.36"

Parsed into key-value pairs based on the log_format main definition:

body_bytes_sent: 368 http_referer: - http_user_agent : Mozi11a/5.0 (Nindows NT 10.0; Win64; x64) AppleMebKit/537.36 (KHTML, like Gecko) Chrome/131.0.x.x Safari/537.36 remote_addr:192.168.*.* remote_user: - request_length: 514 request_method: GET request_time: 0.000 request_uri: /nginx-logo.png status: 200 time_local: 15/Apr/2025:16:40:00

Apache log parsing

Structure the log content into multiple key-value pairs based on the definition in the Apache log configuration file.

Click Add Processor, and select Native Processor > Apache Pattern Parsing:

Set Log Format to combined.
APACHE LogFormat Configuration: The system automatically fills in the configuration based on the Log Format.
Important
Verify the auto-filled content to ensure it is exactly the same as the LogFormat defined in the Apache configuration file on the server (usually located at /etc/apache2/apache2.conf).

Raw log:

1 192.168.1.10 - - [08/May/2024:15:30:28 +0800] "GET /index.html HTTP/1.1" 200 1234 "https://www.example.com/referrer" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36"

Apache Common Log Format combined parsing:

http_referer:https://www.example.com/referrer http_user_agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36 remote_addr:192.168.1.10 remote_ident:- remote_user:- request_method:GET request_protocol:HTTP/1.1 request_uri:/index.html response_size_bytes:1234 status:200 time_local:[08/May/2024:15:30:28 +0800]

Data masking

Mask sensitive data in logs.

Click Add Processor, and select Native Processor > Data Masking:

Original Field: The source field that stores the log content before parsing.
Data Masking Method:
- const: Replace sensitive content with a specified string.
- md5: Replace sensitive content with its corresponding MD5 hash.
Replacement String: When you set Data Masking Method to const, you need to enter a string to replace the sensitive content.
Content Expression That Precedes Replaced Content: Used to find sensitive content. Configure it using RE2 syntax.
Content Replacement Expression: The expression for the sensitive content. Configure it using RE2 syntax.

Raw log:

[{'account':'1812213231432969','password':'04a23f38'}, {'account':'1812213685634','password':'123a'}]

Masking result:

[{'account':'1812213231432969','password':'********'}, {'account':'1812213685634','password':'********'}]

Content filtering

Match log field values based on regular expressions and collect only logs that meet the whitelist conditions.

Click Add Processor, and select Native Processor > Data Filtering:

Field Name: The log field to be filtered.
Field Value: The regular expression used for filtering. Only full matching is supported. Partial keyword matching is not supported.

Raw log:

{"level":"WARNING","timestamp":"2025-09-23T19:11:40+0800","cluster":"yilu-cluster-0728","message":"Disk space is running low","freeSpace":"15%"} {"level":"ERROR","timestamp":"2025-09-23T19:11:42+0800","cluster":"yilu-cluster-0728","message":"Failed to connect to database","errorCode":5003} {"level":"INFO","timestamp":"2025-09-23T19:11:47+0800","cluster":"yilu-cluster-0728","message":"User logged in successfully","userId":"user-123"}

Filtered log: Set Field Name to level and Field Value to WARNING|ERROR. This means only logs where the level field value is WARNING or ERROR are collected.

{"level":"WARNING","timestamp":"2025-09-23T19:11:40+0800","cluster":"yilu-cluster-0728","message":"Disk space is running low","freeSpace":"15%"} {"level":"ERROR","timestamp":"2025-09-23T19:11:42+0800","cluster":"yilu-cluster-0728","message":"Failed to connect to database","errorCode":5003}

Time parsing

Parse the time field in the log and set the parsing result as the log's __time__ field.

Click Add Processor and select Native Processor > Time Parsing:

Original Field: The source field that stores the log content before parsing.
Time Format: Set the corresponding time format based on the time content in the log.
Time Zone: Select the time zone of the log's time field. By default, the machine's time zone is used, which is the time zone of the environment where the LoongCollector (Logtail) process is running.

Raw log:

{"level":"INFO","timestamp":"2025-09-23T19:11:47+0800","cluster":"yilu-cluster-0728","message":"User logged in successfully","userId":"user-123"}

Time parsing:

Other advanced configurations

When you create a collection configuration, after you complete the minimal configuration and common processing configurations, you can perform the following operations to further collect multiline logs, configure log topic types, and configure other settings. To modify an existing collection configuration, you can follow these steps:

In the navigation pane on the left, choose Logstores and find the target Logstore.
Click before its name to expand the Logstore.
Click Logtail Configurations. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit.

Feature	Purpose
Multiline log collection	Process cross-line logs such as Java stack traces
Configure topic types	Set log topics based on machine groups, file paths, or custom rules to manage log sources by category
Container filtering and blacklists	Filter target containers by name, label, or environment variable Ignore sensitive or irrelevant log files
Log tag enrichment	Add environment variables and container information as metadata fields
Compression for log transmission	Enable `lz4`/`zstd` to reduce bandwidth and improve transmission efficiency

Multiline log collection

By default, SLS works in single-line mode, treating each line of text as a separate log. This can incorrectly split multiline logs that contain content such as stack traces or JSON, which leads to a loss of context.

To address this issue, enable Multi-line Mode and define a Regex to Match First Line. This allows SLS to accurately identify the starting line of a complete log, which merges multiple lines into a single log entry.

Processor Configurations:

Enable Multi-line Mode.
Set Type to Custom or Multi-line JSON.
- Custom: The format of the raw log is not fixed. You need to configure Regex To Match First Line to identify the starting line of each log.
  - Regex To Match First Line: Generate it automatically or enter it manually. The regular expression must match a complete line of data. For example, the matching regular expression in the example above is \[\d+-\d+-\w+:\d+:\d+,\d+]\s\[\w+]\s.*.
    - Automatic generation: Click Generate. Then, in the Log Sample text box, select the log content to be extracted and click Generate Regular Expression.
    - Manual input: Click Manually Enter Regular Expression. After entering, click Validate.
- Multi-line JSON: Select this when the raw logs are all in standard JSON format. SLS automatically handles line breaks within a single JSON log.
Processing Method If Splitting Fails:
- Discard: If a piece of text does not match the first-line rule, it is discarded.
- Retain Single Line: Unmatched text is processed as individual single-line logs.

Raw log:

[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)

Single-line mode: Each line is a separate log, and the stack information is broken up, which loses context.

Multi-line mode: A first-line regular expression identifies the complete log, which preserves the full semantic structure.

content:[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)

Configure topic types

Global Configurations > Other Global Configurations > Log Topic Type: Select the topic generation method.

Machine Group Topic: SLS lets you apply one collection configuration to multiple machine groups. When LoongCollector reports data, it uses the machine group's topic as the log topic and uploads it to the Logstore. You can use topics to distinguish logs from different machine groups.

File Path Extraction: If different users or applications write logs to different top-level directories but with the same subdirectory paths and filenames, it becomes difficult to distinguish the log source from the filename. In this case, you can configure File Path Extraction. Use a regular expression to match the full file path and use the matched result (username or application name) as the log topic to be uploaded to the Logstore.

Note

In the regular expression for the file path, you must escape the forward slash (/).

Extract using a file path regular expression

Use case: Different users record logs in different directories, but the log filenames are the same. The directory paths are as follows.

/data/logs ├── userA │ └── serviceA │ └── service.log ├── userB │ └── serviceA │ └── service.log └── userC └── serviceA └── service.log

If you only configure the file path as /data/logs and the filename as service.log in the Logtail Configuration, LoongCollector (Logtail) collects the content from all three service.log files into the same Logstore. This makes it impossible to distinguish which user produced which log. In this case, you can use a regular expression to extract values from the file path to generate different log topics.

Regular expression	Extraction result
`\/data\/logs\/(.)\/serviceA\/.`	`__topic__: userA __topic__: userB __topic__: userC`

Extract using multiple capturing groups

Use case: If a single log topic is not enough to distinguish the source of the logs, you can configure multiple regular expression capturing groups in the log file path to extract key information. These capturing groups include named capturing groups (?P<name>) and unnamed capturing groups.

Named capturing group: The generated tag field is __tag__:{name}.
Unnamed capturing group: The generated tag field is __tag__:__topic_{i}__, where {i} is the sequence number of the capturing group.

Note

When there are multiple capturing groups in the regular expression, the __topic__ field is not generated.

For example, if the file path is /data/logs/userA/serviceA/service.log, you can extract multiple values from the file path in the following ways:

Example

Regular expression

Extraction result

Use an unnamed capturing group for regular expression extraction.

\/data\/logs\/(.*?)\/(.*?)\/service.log

__tag__:__topic_1__: userA __tag__:__topic_2__: serviceA

Use a named capturing group for regular expression extraction.

\/data\/logs\/(?P<user>.*?)\/(?P<service>.*?)\/service.log

__tag__:user: userA __tag__:service: serviceA

Verification: After the configuration is complete, you can query logs based on the log topic.

On the log query and analysis page, enter the corresponding generated log topic, such as __topic__: userA or __tag__:__topic_1__: userA, to query logs for that topic.

Custom: Enter customized:// + custom topic name to use a custom static log topic.

Container filtering and blacklists

Container filtering

Input Configurations:

Enable Container Filtering, click Add, select a filtering method, and configure it. Multiple conditions are combined with an "AND" relationship.
- Environment Variable Blacklist/Whitelist: Specify the environment variable conditions for the containers from which to collect logs.
- K8s Pod Label Blacklist/Whitelist: Specify the label conditions for the pod where the containers from which to collect logs are located.
- K8s Pod Name Regex Match: Specify the containers from which to collect logs by pod name.
- K8s Namespace Regex Match: Specify the containers from which to collect logs by namespace name.
- K8s Container Name Regex Match: Specify the containers from which to collect logs by container name.
- Container Label Blacklist/Whitelist: Collect logs from containers whose labels meet the conditions. This is used in Docker use cases and is not recommended for Kubernetes use cases.

Blacklist

Input Configurations > Other Input Configurations: Enable Collection Blacklist, click Add, and configure the blacklist.

Supports full matching and wildcard matching for directories and filenames. Wildcard characters support only the asterisk (*) and the question mark (?).

File Path Blacklist: The file path to be ignored. Example:
- /home/admin/private*.log: During collection, ignore all files in the /home/admin/ directory that start with "private" and end with ".log".
- /home/admin/private*/*_inner.log: During collection, ignore files that end with "_inner.log" within directories that start with "private" under the /home/admin/ directory.
File Blacklist: Configure the filenames to be ignored during collection. Example:
- app_inner.log: During collection, ignore all files named app_inner.log.
Directory Blacklist: The directory path cannot end with a forward slash (/). Example:
- /home/admin/dir1/: The directory blacklist will not take effect.
- /home/admin/dir*: During collection, ignore files in subdirectories that start with "dir" under the /home/admin/ directory.
- /home/admin/*/dir: During collection, ignore all files in subdirectories named "dir" at the second level under the /home/admin/ directory. For example, files in the /home/admin/a/dir directory are ignored, while files in the /home/admin/a/b/dir directory are collected.

Log tag enrichment

Input Configurations > Log Tag Enrichment:

Enable Log Tag Enrichment and click Add:
- Environment Variables: Configure an environment variable name and a tag name. The environment variable value is stored in the tag name.
  - Environment Variable Name: Specify the name of the environment variable to be extracted.
  - Tag Name: The name of the environment variable tag.
- Pod Labels: Configure a pod label name and a tag name. The pod label value is stored in the tag name.
  - Pod Label Name: The name of the Kubernetes pod label to be extracted.
  - Tag Name: The name of the tag.

Compression for log transmission

Output Configurations:

Note

Only Logtail 1.3.4 and later support zstd compression.

lz4: Fast compression speed, lower compression ratio.
zstd: High compression ratio, slightly lower speed, high memory usage.

What to do next

Log query and analysis: Each collected container text log contains the following default field information:

Field	Description
__tag__:__hostname__	The name of the container's host.
__tag__:__path__	The path of the log file within the container.
__tag__:_container_ip_	The IP address of the container.
__tag__:_image_name_	The name of the image used by the container.
__tag__:_pod_name_	The name of the pod.
__tag__:_namespace_	The namespace to which the pod belongs.
__tag__:_pod_uid_	The unique identifier (UID) of the pod.

Data visualization: Use visualization dashboards to monitor key metric trends.
Automatic alerting for data anomalies: Set alert policies to detect system anomalies in real time.

Troubleshooting: No data collected from container logs

Check for new logs: After you configure LoongCollector (Logtail) for collection, if there are no new logs in the target log file, LoongCollector (Logtail) does not collect data from that file.

2. View LoongCollector (Logtail) runtime logs

View the runtime logs of LoongCollector (Logtail) itself to obtain detailed error information.

Log on to the Logtail container:
1. Query the Logtail pod.
```
kubectl get po -n kube-system | grep logtail
```
  The system returns a result similar to the following.
```
logtail-ds-****d 1/1 Running 0 8d logtail-ds-****8 1/1 Running 0 8d
```
2. Log on to the pod.
```
kubectl exec -it -n kube-system logtail-ds-****d -- bash
```
  Here, logtail-ds-****d is the pod ID. Replace it with the actual value.

View Logtail runtime logs:
Logtail logs are stored in the /usr/local/ilogtail/ directory within the Logtail container. The filenames are ilogtail.LOG and logtail_plugin.LOG. Log on to the Logtail container and run the following commands to view the log files:
```
Go to the /usr/local/ilogtail/ directory. cd /usr/local/ilogtail View the ilogtail.LOG and logtail_plugin.LOG files. cat ilogtail.LOG cat logtail_plugin.LOG
```
Purpose: Check the Alarm Metric in the error logs and find the corresponding solution in Common errors in Simple Log Service data collection.

3. Check the machine group heartbeat

Check the machine group heartbeat status: Go to the Resources > Machine Groups page, and click the name of the target machine group. In the Machine Group Configurations > Machine Group Status section, view the Heartbeat status and record the number of nodes with an OK heartbeat status.

Check the number of worker nodes in the container cluster.
1. Obtain the cluster KubeConfig and connect to the cluster using kubectl.
2. View the number of worker nodes in the cluster.
```
kubectl get node | grep -v master
```
  The system returns a result similar to the following.
```
NAME STATUS ROLES AGE VERSION cn-hangzhou.i-bp17enxc2us3624wexh2 Ready <none> 238d v1.10.4 cn-hangzhou.i-bp1ad2b02jtqd1shi2ut Ready <none> 220d v1.10.4
```
Compare whether the number of nodes with an OK heartbeat status is consistent with the number of worker nodes in the container cluster. Choose a troubleshooting method based on the comparison result.
- The heartbeat status of all nodes in the machine group is Failed:
  - If it is a self-managed cluster, check whether the following parameters are configured correctly: {regionId}, {aliuid}, {access-key-id}, and {access-key-secret}.
    If they are incorrect, run the helm del --purge alibaba-log-controller command to delete the installation package, and then reinstall.
- The number of nodes with an OK heartbeat status is less than the number of worker nodes in the cluster.
  - Determine whether a DaemonSet was manually deployed using a YAML file.
    1. Run the following command. If a result is returned, it means a DaemonSet was previously deployed manually using a YAML file.
      kubectl get po -n kube-system -l k8s-app=logtail
    2. Download the latest version of the DaemonSet template.
    3. Configure parameters such as ${your_region_name}, ${your_aliyun_user_id}, and ${your_machine_group_name} based on actual values.
    4. Update the resource.
      kubectl apply -f ./logtail-daemonset.yaml

4. Check the collection configuration filter conditions

In the Simple Log Service console, check the Logtail collection configuration. Pay close attention to whether the IncludeLabel, ExcludeLabel, IncludeEnv, ExcludeEnv, and other settings in the Logtail configuration meet your collection requirements.

The label here refers to the container label, which is the label in Docker inspect, not the label in Kubernetes.
Temporarily remove the IncludeLabel, ExcludeLabel, IncludeEnv, and ExcludeEnv configurations to see if logs can be collected normally. If so, it indicates a problem with the configuration of these parameters.

FAQ

How do I send ACK cluster logs to a project in another Alibaba Cloud account?

Manually install the LoongCollector (Logtail) component in the ACK cluster and configure it with the target account's Alibaba Cloud account ID or access credential (AccessKey). This enables you to send container logs to a Simple Log Service project in another Alibaba Cloud account.

Use case: Collect log data from an ACK cluster to a Simple Log Service project in a different Alibaba Cloud account for reasons such as organizational structure, permission isolation, or unified monitoring. You can manually install LoongCollector (Logtail) for cross-account configuration.

Procedure: The following procedure uses the manual installation of LoongCollector as an example. To learn how to install Logtail, see Install and configure Logtail.

Connect to the Kubernetes cluster. Select the command for your region to download LoongCollector and its dependent components:

Regions in China:

wget https://aliyun-observability-release-cn-shanghai.oss-cn-shanghai.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

Regions outside China:

wget https://aliyun-observability-release-ap-southeast-1.oss-ap-southeast-1.aliyuncs.com/loongcollector/k8s-custom-pkg/3.0.12/loongcollector-custom-k8s-package.tgz; tar xvf loongcollector-custom-k8s-package.tgz; chmod 744 ./loongcollector-custom-k8s-package/k8s-custom-install.sh

Go to the loongcollector-custom-k8s-package directory and modify the ./loongcollector/values.yaml configuration file.

# ===================== Required Information ===================== # The name of the project where logs from this cluster will be collected, for example, k8s-log-custom-sd89ehdq projectName: "" # The region of the project, for example, Shanghai: cn-shanghai region: "" # The UID of the Alibaba Cloud account that owns the project. Enclose it in quotation marks, for example, "123456789" aliUid: "" # The network to use. Optional parameters: Internet, Intranet. The default is Internet. net: Internet # The AccessKey ID and AccessKey secret of the Alibaba Cloud account or RAM user. The account must have the AliyunLogFullAccess system policy permission. accessKeyID: "" accessKeySecret: "" # A custom cluster ID. The name can contain only uppercase letters, lowercase letters, digits, and hyphens (-). clusterID: ""

In the loongcollector-custom-k8s-package directory, run the following command to install LoongCollector and other dependent components:
```
bash k8s-custom-install.sh install
```

After the installation is complete, check the running status of the components.

If a pod fails to start, check whether the values.yaml configuration is correct and whether the relevant images were pulled successfully.

# Check the pod status kubectl get po -n kube-system | grep loongcollector-ds

SLS also automatically creates the following resources. You can log on to the Simple Log Service console to view them.

Resource type	Resource name	Function
Project	The value of `projectName` defined in the values.yaml file	A resource management unit that isolates logs of different services. To create a Project for more flexible log resource management, see Create a Project.
Machine group	`k8s-group-${cluster_id}`	A collection of log collection nodes.
Logstore	`config-operation-log` Important Do not delete this Logstore.	Stores logs of the loongcollector-operator component. Its billing method is the same as that of a regular Logstore. For more information, see Pay-by-data-written billable items. We recommend that you do not create collection configurations in this Logstore.

How can I collect logs from the same file or container standard output using multiple collection configurations?

By default, to prevent data duplication, SLS restricts each log source to be collected by only one collection configuration:

A text log file can match only one Logtail collection configuration.
A container's standard output (stdout) can also be collected by only one standard output collection configuration.

Log on to the Simple Log Service console and go to the target project.
In the navigation pane on the left, choose Logstores and find the target Logstore.
Click before its name to expand the Logstore.
Click Logtail Configurations. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit and scroll down to the Input Configurations section:
- To collect text file logs: Enable Allow File to Be Collected Multiple Times.
- To collect container standard output: Enable Allow Collection by Different Logtail Configurations.

More information

Global configuration parameters

Parameter	Description
Configuration Name	The name of the Logtail configuration. It must be unique within its project. The name cannot be changed after the Logtail configuration is created.
Topic Type	Select the method for generating the log topic. Options include Machine Group Topic, File Path Extraction, and Custom.
Advanced Parameters	Other optional advanced feature parameters related to the global configuration. For more information, see Create Logtail Pipeline Configuration.

Input configuration parameters

Parameter	Description
Logtail Deployment Mode	DaemonSet: Deploys one LoongCollector on each node of the cluster to collect logs from all containers on that node. Sidecar: Each pod runs a LoongCollector container to collect logs from all containers within that pod. Log collection for different pods is isolated.
File Path Type	Supports the following options: Path In Container and Host Path. Path In Container: Select this to collect text log files from within a container. Host Path: Select this to collect service logs from the cluster nodes.
File Path	Set the log directory and filename based on the log's location on the host (such as an ECS instance). If the target host is a Linux system, the log path must start with a forward slash (/), for example, `/apsara/nuwa//app.Log`. If the target host is a Windows system, the log path must start with a drive letter, for example, `C:\Program Files\Intel\\.Log`. Both directory and file names support full and wildcard modes. For file name rules, see Wildcard matching. For log paths, you can use only the asterisk () or the question mark (?) as wildcard characters. The log path supports multi-level directory matching. This means all files that meet the criteria in the specified directory and its subdirectories are collected. For example: `/apsara/nuwa/*/.log` indicates files with the .log extension in the `/apsara/nuwa` directory and its recursive subdirectories. `/var/logs/app_//.log` indicates files with the `.log` extension in all directories that match the `app_` format under the `/var/logs` directory and their recursive subdirectories. `/var/log/nginx//access` indicates files that start with `access` in the `/var/log/nginx` directory and its recursive subdirectories.
Maximum Directory Monitoring Depth	Set the maximum depth for monitoring the log directory. This is the maximum directory depth matched by the wildcard character `` in the File Path**. 0 represents monitoring only the current directory.
Standard Output	After you enable Standard Output, Logtail collects the container's standard output.
Standard Error	After you enable Standard Error, Logtail collects the container's standard error.
You can configure multiple standard output collections.	By default, a container's standard output log can be collected by only one Logtail collection configuration. To collect logs from the same standard output using multiple configurations, you must enable Allow Collection By Different Logtail Configurations.
Enable Container Metadata Preview	After you enable Enable Container Metadata Preview, you can view container metadata after you create the Logtail configuration. This includes matched container information and full container information.
Container Filtering	Filter condition description Important Container labels are retrieved by running the docker inspect command. Container labels are different from Kubernetes labels. To retrieve them, see Obtaining Container Labels. Environment variables are the information about the environment variables configured during container startup. To obtain this information, see Obtain Container Environment Variables. In Kubernetes use cases, we recommend that you use Kubernetes-level information (such as K8s Pod Name Regex Match, K8s Namespace Regex Match, K8s Container Name Regex Match, and K8s Pod Label Whitelist) for container filtering. The Namespace and container name in Kubernetes are mapped to container Labels, specifically `io.kubernetes.pod.namespace` and `io.kubernetes.container.name`. We recommend that you use these two container Labels for container filtering. For example, if a pod belongs to the namespace `backend-prod` and the container name is `worker-server`, set the container label whitelist to `io.kubernetes.pod.namespace : backend-prod` or `io.kubernetes.container.name : worker-server` to collect logs from that container. If these two container labels do not meet your filtering needs, you can use the environment variable blacklist and whitelist for container filtering. K8s Pod Name Regex Match Specify the containers from which to collect logs by pod name. Regular expression matching is supported. For example, if you set it to `^(nginx-log-demo.)$`, it matches all containers in pods whose names start with nginx-log-demo. K8s Namespace Regex Match* Specify the containers from which to collect logs by namespace name. Regular expression matching is supported. For example, if you set it to `^(default\|nginx)$`, it matches all containers in the nginx and default namespaces. K8s Container Name Regex Match Specify the containers from which to collect logs by container name (the Kubernetes container name is defined in spec.containers). Regular expression matching is supported. For example, if you set it to `^(container-test)$`, it matches all containers named container-test. Container Label Whitelist The container Label whitelist specifies the containers from which to collect logs. It is empty by default, which means all container standard outputs are collected. To set a container Label whitelist, the LabelKey is required, and the LabelValue is optional. If LabelValue is empty, all containers with a Label that includes the LabelKey are matched. If LabelValue is not empty, only containers with a Label that matches LabelKey=LabelValue are matched. By default, LabelValue is a string match, which means it matches only if the LabelValue is exactly the same as the container's Label value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set LabelKey to `io.kubernetes.container.name` and LabelValue to `^(nginx\|cube)$`, it matches containers named nginx or cube. Multiple whitelist entries have an OR relationship, which means a container is matched if its Label satisfies any of the whitelist entries. Container Label Blacklist The container Label blacklist excludes containers from collection. It is empty by default, which means no containers are excluded. To set a container Label blacklist, the LabelKey is required, and the LabelValue is optional. If LabelValue is empty, all containers with a Label that includes the LabelKey are excluded. If LabelValue is not empty, only containers with a Label that matches LabelKey=LabelValue are excluded. By default, LabelValue is a string match, which means it matches only if the LabelValue is exactly the same as the container's Label value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set LabelKey to `io.kubernetes.container.name` and LabelValue to `^(nginx\|cube)$`, it matches containers named nginx or cube. Multiple blacklist entries have an OR relationship, which means a container is excluded if its Label satisfies any of the blacklist entries. Environment Variable Whitelist The environment variable whitelist specifies the containers from which to collect logs. It is empty by default, which means all container standard outputs are collected. To set an environment variable whitelist, the EnvKey is required, and the EnvValue is optional. If EnvValue is empty, all containers with an environment variable that includes the EnvKey are matched. If EnvValue is not empty, only containers with an environment variable that matches EnvKey=EnvValue are matched. By default, EnvValue is a string match, which means it matches only if the EnvValue is exactly the same as the environment variable's value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set EnvKey to `NGINX_SERVICE_PORT` and EnvValue to `^(80\|6379)$`, it matches containers with a service port of 80 or 6379. Multiple whitelist entries have an OR relationship, which means a container is matched if its environment variables satisfy any of the key-value pairs. Environment Variable Blacklist The environment variable blacklist excludes containers from collection. It is empty by default, which means no containers are excluded. To set an environment variable blacklist, the EnvKey is required, and the EnvValue is optional. If EnvValue is empty, logs from all containers with an environment variable that includes the EnvKey are excluded. If EnvValue is not empty, only containers with an environment variable that matches EnvKey=EnvValue are excluded. By default, EnvValue is a string match, which means it matches only if the EnvValue is exactly the same as the environment variable's value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set EnvKey to `NGINX_SERVICE_PORT` and EnvValue to `^(80\|6379)$`, it matches containers with a service port of 80 or 6379. Multiple blacklist entries have an OR relationship, which means a container is excluded if its environment variables satisfy any of the key-value pairs. K8s Pod Label Whitelist Specify the containers from which to collect logs using a Kubernetes Label whitelist. To set a Kubernetes Label whitelist, the LabelKey is required, and the LabelValue is optional. If LabelValue is empty, all containers with a Kubernetes Label that includes the LabelKey are matched. If LabelValue is not empty, only containers with a Kubernetes Label that matches LabelKey=LabelValue are matched. By default, LabelValue is a string match, which means it matches only if the LabelValue is exactly the same as the Kubernetes Label's value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set LabelKey to `app` and LabelValue to `^(test1\|test2)$`, it matches containers with Kubernetes Labels app:test1 or app:test2. Multiple whitelist entries have an OR relationship, which means a container is matched if its Kubernetes Label satisfies any of the whitelist entries. Note If you change Kubernetes labels when Kubernetes control resources, such as Deployments, are running, the operational pod is not restarted. Therefore, the pod cannot detect the change. This may cause a matching rule to become invalid. When you configure Kubernetes label blacklists and whitelists, we recommend that you use the Kubernetes labels of pods. For more information about Kubernetes labels, see Labels and Selectors. K8s Pod Label Blacklist Exclude containers from collection using a Kubernetes Label blacklist. To set a Kubernetes Label blacklist, the LabelKey is required, and the LabelValue is optional. If LabelValue is empty, all containers with a Kubernetes Label that includes the LabelKey are excluded. If LabelValue is not empty, only containers with a Kubernetes Label that matches LabelKey=LabelValue are excluded. By default, LabelValue is a string match, which means it matches only if the LabelValue is exactly the same as the Kubernetes Label's value. If the value starts with `^` and ends with `$`, it is a regular expression match. For example, if you set LabelKey to `app` and LabelValue to `^(test1\|test2)$`, it matches containers with Kubernetes Labels app:test1 or app:test2. Multiple blacklist entries have an OR relationship, which means a container is excluded if its Kubernetes Label satisfies any of the blacklist entries. Note If you change Kubernetes labels when Kubernetes control resources, such as Deployments, are running, the operational pod is not restarted. Therefore, the pod cannot detect the change. This may cause a matching rule to become invalid. When you configure the Kubernetes label blacklists and whitelists, we recommend that you use the Kubernetes labels of pods. For more information about Kubernetes labels, see Labels and Selectors.
Log Tag Enrichment	Add environment variables and Kubernetes labels to logs as log tags. Environment Variables After you set environment variable extension fields, SLS adds environment variable-related fields to the logs. For example, if you set Environment Variable Name to `VERSION` and Tag Name to `env_version`, and the container includes the environment variable `VERSION=v1.0.0`, this information is added to the log as the field __tag__:__env_version__: v1.0.0. Pod Labels After you set Kubernetes pod extension fields, SLS adds Kubernetes pod-related fields to the logs. For example, if you set Pod Label Name to `app` and Tag Name to `k8s_pod_app`, and the Kubernetes pod includes the Label `app=serviceA`, this information is added to the log as the field __tag__:__k8s_pod_app__: serviceA.
File Encoding	Select the encoding format of the log file.
Initial Collection Size	When the configuration first takes effect, this setting specifies the size of the data to be collected, starting from the end of the file. The default initial collection size is 1,024 KB. For the first collection, if the file is smaller than 1,024 KB, collection starts from the beginning of the file. For the first collection, if the file is larger than 1,024 KB, collection starts from 1,024 KB from the end of the file. You can modify the Initial Collection Size here. The value range is 0 to 10,485,760, in KB.
Collection Blacklist	After you enable the Collection Blacklist switch, you can configure a blacklist to ignore specified directories or files during collection. It supports full matching and wildcard matching for directories and filenames. The supported wildcard characters are the asterisk () and the question mark (?). Important* If you use a wildcard character when you configure the File Path but need to filter out some of those paths, you must enter the corresponding full path in the Collection Blacklist to ensure the blacklist configuration takes effect. For example, if you set File Path to `/home/admin/app/log/.log` but want to filter all subdirectories under `/home/admin/app1`, you must select Directory Blacklist* and configure the directory as `/home/admin/app1/`. If you configure it as `/home/admin/app1`, the blacklist does not take effect. Matching against a blacklist has a computational overhead. We recommend that you keep the number of blacklist entries within 10. A directory path cannot end with a forward slash (/). For example, if you set the path to `/home/admin/dir1/`, the directory blacklist does not take effect. It supports setting by file path blacklist, file blacklist, and directory blacklist. The details are as follows: File Path Blacklist Select File Path Blacklist and configure the path as `/home/admin/private.log`. This ignores all files in the `/home/admin/` directory that start with "private" and end with ".log" during collection. Select File Path Blacklist* and configure the path as `/home/admin/private/_inner.log`. This ignores files that end with "_inner.log" within directories that start with "private" under the `/home/admin/` directory during collection. For example, the file `/home/admin/private/app_inner.log` is ignored, while the file `/home/admin/private/app.log` is collected. File Blacklist Select File Blacklist and configure the filename as `app_inner.log`. This ignores all files named `app_inner.log` during collection. Directory Blacklist Select Directory Blacklist and configure the directory as `/home/admin/dir1`. This ignores all files in the `/home/admin/dir1` directory during collection. Select Directory Blacklist and configure the directory as `/home/admin/dir`. This ignores all files in subdirectories that start with "dir" under the `/home/admin/` directory during collection. Select Directory Blacklist* and configure the directory as `/home/admin/*/dir`. This ignores all files in subdirectories named "dir" at the second level under the `/home/admin/` directory during collection. For example, files in the `/home/admin/a/dir` directory are ignored, while files in the `/home/admin/a/b/dir` directory are collected.
Allow File to Be Collected Multiple Times	By default, a log file can match only one Logtail configuration. If the logs in a file need to be collected multiple times, you can enable Allow File to Be Collected Multiple Times.
Advanced Parameters	For more information about other optional advanced parameters for the file input plugin, see Create a Logtail pipeline configuration.

Processor configuration parameters

Parameter	Description
Log Sample	A sample of the log to be collected. Use a log from your actual scenario. The log sample helps configure log processing parameters and reduces configuration difficulty. You can add multiple samples, with a total length not exceeding 1500 characters. `[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)`
Multi-line Mode	Type: A multiline log is one where each log entry is distributed across multiple consecutive lines. It is necessary to distinguish each log entry from the log content. Custom: Use a Regex To Match First Line to distinguish each log entry. Multi-line JSON: Each JSON object is expanded into multiple lines, for example: `{ "name": "John Doe", "age": 30, "address": { "city": "New York", "country": "USA" } }` Processing Method If Splitting Fails: `Exception in thread "main" java.lang.NullPointerException at com.example.MyClass.methodA(MyClass.java:12) at com.example.MyClass.methodB(MyClass.java:34) at com.example.MyClass.main(MyClass.java:½0)` For the log content above, if SLS fails to split it: Discard: Discards this log segment. Retain Single Line: Retains each line of log text as a separate log entry, resulting in a total of four log entries.
Processing Mode	Processors, which includes Native Plugins and Extended Plugins. For more information, see Overview of Logtail plugins for data processing. Important For limitations on the use of processing plugins, refer to the prompts on the console page. Logtail 2.0: Native plugins can be combined in any way. Native and extended plugins can be used at the same time, but extended plugins can only appear after all native plugins. Logtail versions earlier than 2.0: Adding both native plugins and extended plugins at the same time is not supported. Native plugins can only be used to collect text logs. When using native plugins, the following requirements must be met: The first plugin must be regular expression parsing, delimiter-based parsing, JSON parsing, NGINX pattern parsing, Apache pattern parsing, or IIS pattern parsing. From the second to the last plugin, there can be at most one time parsing plugin, one filtering plugin, and multiple data masking plugins. For the Retain Original Field If Parsing Fails and Retain Original Field If Parsing Succeeds parameters, only the following combinations are valid. Other combinations are invalid. Upload only successfully parsed logs: Upload parsed logs on success, and upload raw logs on failure: On success, upload parsed logs and append the raw log field. On failure, upload raw logs. For example, if the raw log `"content": "{"request_method":"GET", "request_time":"200"}"` is parsed successfully, appending the raw field adds another field to the parsed log. The field name is New Name Of Original Field (if not filled, it defaults to the original field name), and the field value is the raw log `{"request_method":"GET", "request_time":"200"}`.

Scope

Collection configuration workflow

Install LoongCollector (Logtail)

ACK cluster

Self-managed cluster

Create a Logstore

Minimal configuration

Collect container standard output (stdout)

Collect cluster text logs

Common processing configurations

Structured configuration

Regular expression parsing

Delimiter-based parsing

Standard JSON parsing

Nested JSON parsing

JSON array parsing

NGINX log parsing

Apache log parsing

Data masking

Content filtering

Time parsing

Other advanced configurations

Multiline log collection

Configure topic types

Extract using a file path regular expression

Extract using multiple capturing groups

Container filtering and blacklists

Container filtering

Blacklist

Log tag enrichment

Compression for log transmission

What to do next

Troubleshooting: No data collected from container logs

FAQ

How do I send ACK cluster logs to a project in another Alibaba Cloud account?

How can I collect logs from the same file or container standard output using multiple collection configurations?

More information

Global configuration parameters

Input configuration parameters

File Path Blacklist

File Blacklist

Directory Blacklist

Processor configuration parameters