Simple Log Service and Service Mesh (ASM) jointly launch the logging feature. You can use the feature to collect control plane logs and KubeAPI operation audit logs from ASM to Log Service for query and analysis. This topic describes the assets and billing of the logging feature.
Log type
Control plane logs: logs that are related to configuration pushes from the ASM control plane to sidecar proxies on the data plane. In some cases, sidecar proxies or gateways become unavailable due to improper configurations. You can identify the issues based on control plane logs.
KubeAPI operation audit logs: logs that are related to the operations that different Alibaba Cloud accounts perform on Istio resources, such as virtual services, gateways, destination rules, Envoy filters, sidecar proxies, and service entries. KubeAPI operation audit logs record the daily operations of different users, which helps ASM administrators to trace the operations and ensures secure O&M in clusters.
Assets
Dedicated projects and dedicated Logstores
ImportantBefore you disable the logging feature, do not delete the related project or Logstore. Otherwise, logs cannot be delivered to Simple Log Service.
If you enabled the pay-by-ingested-data billing mode, Simple Log Service automatically creates a dedicated Logstore that uses the pay-by-ingested-data billing mode. If you want to switch the billing mode from pay-by-ingested-data to pay-by-feature, you can modify the configuration of the Logstore. For more information, see Manage a Logstore.
If you select an existing project when you enable the logging feature for control plane logs or KubeAPI operation audit logs, Simple Log Service creates a dedicated Logstore in the project.
If you select the default project when you enable the logging feature for control plane logs or KubeAPI operation audit logs, Simple Log Service creates a project named
mesh-log-ASM instance IDin the region where the master instance resides and a dedicated Logstore in the project.Logstore name
Description
istio-ASM instance IDStores the control plane logs of an ASM instance.
audit-ASM instance IDStores the KubeAPI operation audit logs of an ASM instance.
Dedicated dashboard
Dashboard
Description
Mesh Audit Center Overview
Displays the audit information of the ASM instance, including the total number of events, number of access requests over the Internet, number of unauthorized access requests, number of creation events, number of deletion events, operation distribution of Resource Access Management (RAM) users, distribution of deletion events, and operation traces.
Mesh Resource Operation Overview
Displays the information about the operations that are performed on the resources in the ASM instance, including the creation, modification, access, and deletion of resources such as virtual services, destination rules, gateways, sidecar proxies, Envoy filters, and service entries.
Mesh Resource Operation Details
Displays the details of the operations that are performed on the resources in the ASM instance, including the operation rules, created resources, deleted resources, modified resources, and accessed resources.
Mesh Operation Audit for Accounts
Displays the operation information of ASM instances by account, including the number of created resources, number of modified resources, number of deleted resources, distribution of managed namespaces, distribution of deleted resources, and operation traces.
Billing overview
You are not charged for logs on the ASM side.
If your Logstore uses the pay-by-feature billing mode, you are charged for storage, read traffic, number of requests, data transformation, and data shipping after the logs are collected from ASM to Simple Log Service. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.
If your Logstore uses the pay-by-ingested-data billing mode, you are charged for the ingested raw data volume after the logs are collected from ASM to Simple Log Service. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.
Enable the logging feature for control plane logs and KubeAPI operation audit logs
Enable the logging feature when you create an ASM instance
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, click Create ASM Instance.
On the Create Service Mesh page, configure the following settings and click Create Service Mesh.
In the Observability section, select Enable Control-plane log collection and select a project.
In the Mesh Audit section, select Enable Mesh Audit and select a project.
Configure other parameters. For more information, see Create an ASM instance.
Enable the logging feature for an existing ASM instance
Log on to the ASM console.
In the left-side navigation pane, choose .
On the Mesh Management page, click the ASM instance that you want to manage.
In the left-side navigation pane, choose .
In the Config Info section, configure the following settings:
Control plane logs: Click Enable next to Control-plane log collection and select a project.
KubeAPI operation audit logs: Click Open Audit log project next to KubeAPI Audit Project and select a project.
Related operations
If you disable collection for the following logs, the related projects and pushed logs are not automatically deleted. To prevent additional fees, you can delete the related projects in the Simple Log Service console after you disable collection for the logs. For more information, see Delete a project.
Operation | Description |
Disable collection for control plane logs | In the Config Info section of the Basic Information page, click Disable next to Control-plane log collection. |
Disable collection for KubeAPI operation audit logs | In the Config Info section of the Basic Information page, click Disable next to KubeAPI Audit Project. |
What to do next
After the control plane logs and the KubeAPI operation audit logs of an ASM instance are collected to Simple Log Service, you can query, analyze, download, ship, and transform the logs in the Simple Log Service console. You can also create alert rules for the logs. For more information, see Common operations on logs of Alibaba Cloud services.