All Products
Search
Document Center

Simple Log Service:ASM logs

Last Updated:Dec 25, 2024

Log Service and Service Mesh (ASM) have introduced a log collection feature that facilitates the delivery of control plane logs and KubeAPI operation audit logs from ASM to Log Service for comprehensive query and analysis. This topic outlines the assets and billing associated with the log collection feature.

Feature types

  • Control plane logs: These logs pertain to configuration pushes from the control plane to data plane sidecar proxies. They are instrumental in diagnosing issues when sidecar proxies or ingress gateways become unavailable due to improper configurations.

  • KubeAPI operation audit logs: These logs document the operations performed on Istio resources by different Alibaba Cloud accounts, including virtual services, gateways, destination rules, Envoy filters, sidecar proxies, and service entries. ASM administrators can leverage these logs to monitor and trace user activities for secure operations and maintenance within clusters.

Asset details

  • Dedicated project and Logstore

    Important
    • Before disabling log collection, ensure not to delete the associated Log Service project and Logstore, as this will prevent logs from being delivered to Log Service.

    • When the pay-by-ingested-data billing mode is enabled, Simple Log Service automatically generates a Logstore that adheres to this billing structure. To transition from pay-by-ingested-data to pay-by-feature billing, you must update the Logstore settings. For more information, see Manage Logstore.

    • Selecting an existing project during the enablement of control plane logs or KubeAPI operation audit logs results in the creation of a corresponding dedicated Logstore within that project, as detailed in the table below.

    • If the default project is selected, Log Service creates a project named mesh-log-Grid Instance ID in the region of the master instance and establishes a corresponding dedicated Logstore within this project, as detailed in the table below.

      Logstore name

      Description

      istio-Grid Instance ID

      Stores the control plane logs of an ASM instance.

      audit-Grid Instance ID

      Stores the KubeAPI operation audit logs of an ASM instance.

  • Dedicated dashboard

    Dashboard

    Description

    Mesh audit center overview

    Displays the audit information about the ASM instance, including the total number of events, number of Internet connection requests, number of unauthorized Internet connection requests, number of creation events, number of deletion events, operation distribution of RAM users, distribution of deletion events, and operation traces.

    Mesh resource operation overview

    Displays the information about the operations that are performed on the resources in the ASM instance, including the creation, update, access, and deletion of resources such as virtual services, destination rules, gateways, sidecar proxies, Envoy filters, and service entries.

    Mesh resource operation detail list

    Displays the details of the operations that are performed on the resources in the ASM instance, including the operation rules, created resource list, deleted resource list, updated resource list, and accessed resource list.

    Mesh account operation audit

    Displays the operation information of ASM instances by account, including the number of created resources, number of modified resources, number of deleted resources, distribution of managed namespaces, distribution of deleted resources, and operation traces.

Billing description

  • The log collection feature of ASM is provided at no additional charge.

  • When the Logstore operates on a pay-by-feature billing model, charges by Log Service are incurred for the bucket, read traffic, request count, data manipulation, and data shipping after ASM delivers logs to the Simple Log Service. For more information, see Billable items under the pay-by-feature billing mode.

  • When the billing mode for a Logstore is set to pay-by-ingested-data, charges by Log Service are based on the volume of original data ingested after ASM has delivered logs. For more information, see Billable items for the pay-by-ingested-data billing mode.

Enable the collection of control plane logs and audit logs for an ASM instance

Enable log collection when you create an ASM instance

  1. Log on to the ASM console.

  2. Select Service Mesh > Mesh Management from the left-side navigation pane.

  3. On the Mesh Management page, click Create New Mesh.

  4. On the Create Service Mesh page, fill out the required configurations before clicking Create Service Mesh.

    1. Navigate to the Observability configuration item, select Enable Control Plane Log Collection, and choose the desired project.

    2. Go to the Mesh Audit configuration item, select Enable Mesh Audit, and then pick the target project.

    3. Set additional parameters as needed. For more information, see Create an ASM instance.

Enable log collection for an existing ASM instance

  1. Log on to the ASM console.

  2. Select Service Mesh > Mesh Management from the left-side navigation pane.

  3. Click the target mesh instance on the Mesh Management page.

  4. In the left-side navigation pane, select Mesh Instance > Basic Information.

  5. In the Configuration Information section, please complete the configurations listed below.

    1. To enable control plane log collection, click Enable adjacent to Control Plane Log Collection and select the desired project.

    2. For KubeAPI audit logs, click Enable Audit Log Project next to Kubeapi Audit Logs and choose the appropriate project.

Related operations

Important

Disabling log collection does not automatically delete associated projects or logs that have been pushed. To avoid incurring additional charges, consider deleting the relevant projects from the Log Service console once you disable the log collection feature. For more information, see Delete Project.

Operation

Description

Disable the collection of control plane logs

Navigate to the Basic Information page of the desired mesh instance and locate the Configuration Information section. Here, click Disable adjacent to the Control Plane Log Collection option.

Disable the collection of KubeAPI audit logs

On the Basic Information page of the target mesh instance, click Disable next to Kubeapi Audit Logs within the Configuration Information area.

What to do next

Once the control plane and audit logs from an ASM instance are transferred to Simple Log Service, you can perform actions such as querying, analyzing, downloading, shipping, and transforming logs within the Simple Log Service console. Additionally, you can establish alert rules for these logs. For more information, see General operations on cloud product logs.