Log Collection and Analysis

Collection

There are various ways to collect logs from applications.

Log files collector

You can use Filebeat, Fluentd and FluentBit to collect logs, and then transport the logs to SkyWalking OAP through Kafka or HTTP protocol, with the formats Kafka JSON or HTTP JSON array.

Filebeat

Filebeat supports using Kafka to transport logs. Open kafka-fetcher and enable configs enableNativeJsonLog.

Take the following Filebeat config YAML as an example to set up Filebeat:

Fluentd

Fluentd supports using Kafka to transport logs. Open kafka-fetcher and enable configs enableNativeJsonLog.

Take the following fluentd config file as an example to set up Fluentd:

Fluent-bit

Fluent-bit sends logs to OAP directly through HTTP(rest port). Point the output address to restHost:restPort of receiver-sharing-server or core(if receiver-sharing-server is inactivated)

Take the following fluent-bit config files as an example to set up Fluent-bit:

OpenTelemetry

You can use OpenTelemetry Collector to transport the logs to SkyWalking OAP. Read the doc on Skywalking Exporter for a detailed guide.

Java agent’s toolkits

Java agent provides toolkits for log4j, log4j2, and logback to report logs through gRPC with automatically injected trace context.

SkyWalking Satellite sidecar is a recommended proxy/side that forwards logs (including the use of Kafka MQ to transport logs). When using this, open kafka-fetcher and enable configs enableNativeProtoLog.

Java agent provides toolkits for log4j, log4j2, and logback to report logs through files with automatically injected trace context.

Log framework config examples:

Python agent log reporter

SkyWalking Python Agent implements a log reporter for the logging module with functionalities aligning with the Java toolkits.

To explore how to enable the reporting features for your use cases, please refer to the Log Reporter Doc for a detailed guide.

Log Analyzer

Log analyzer of OAP server supports native log data. OAP could use Log Analysis Language to structure log content through parsing, extracting and saving logs. The analyzer also uses Meter Analysis Language Engine for further metrics calculation.

log-analyzer:
  selector: ${SW_LOG_ANALYZER:default}
  default:
    lalFiles: ${SW_LOG_LAL_FILES:default}
    malFiles: ${SW_LOG_MAL_FILES:""}

Read the doc on Log Analysis Language for more on log structuring and metrics analysis.