Collect text logs from servers

Select a collection mode

Scenario	Recommended mode
Logs are written continuously; real-time monitoring and alerting required.	Continuous collection
Import archived historical files once.	One-time collection
System or data migration; backfilling historical data.	One-time collection
Ad-hoc investigation of logs from a specific time period.	One-time collection

Note

LoongCollector collects only incremental logs by default. To collect existing static files, use one-time collection mode.

Usage notes

Supported operating systems and architectures:

LoongCollector supports Linux only. For Windows hosts, use Logtail.

For new deployments, use LoongCollector — the next-generation Logtail replacement. Install one or the other, not both.
Computing resource requirements:
- CPU: Minimum 0.4 cores.
- Memory: Minimum 300 MB.
- Keep usage below 80% of the limit. Actual consumption depends on collection speed, directory and file count, and send queue backlog.
Permission requirements:

If you use a Resource Access Management (RAM) user, you must grant the AliyunLogFullAccess and AliyunECSFullAccess permissions. For fine-grained authorization, see Appendix: Custom permission policies.

Collection configuration workflow

Preparations: Create a project (resource isolation) and a logstore (log storage).
Configure a machine group (Install LoongCollector): Install LoongCollector on your servers and add them to a machine group.
Create and configure log collection rules:
1. Global and input configurations: Define the name of the collection configuration and the source and scope of log collection.
2. Log processing and structuring: Configure processing rules based on the log format.
  - Multiline logs: For logs that span multiple lines (such as Java exception stacks), configure a regular expression to identify the start of each log and merge consecutive lines into a single entry.
  - Structured parsing: Use parsing plugins (regular expression, separator, or NGINX pattern) to extract raw strings into structured key-value pairs for independent query and analysis.
3. Log filtering: Configure blacklists and content filters to exclude redundant data and reduce storage costs.
4. Log categorization: Use topics to distinguish logs from different applications, servers, or path sources.
Query and analysis configuration: Full-text index is enabled by default for keyword searches. Enable field index for precise queries on structured fields.
Verification and troubleshooting: Verify that logs are collected. For issues such as no data, heartbeat failures, or parsing errors, see the FAQ.

Preparations

Create a project and logstore to store logs. If these already exist, skip to Configure a machine group (Install LoongCollector).

Create a project

Log on to the Simple Log Service console.
Click Create Project and configure the following parameters:
- Region: Select the region of your log source. Cannot be changed after creation.
- Project Name: Must be globally unique within Alibaba Cloud and cannot be changed after creation.
- Keep the default settings for other configurations and click Create. For more information about other parameters, see Create a project.

Create a logstore

Click the project name to go to the target project.
In the navigation pane on the left, choose Log Storage and click +.
On the Create Logstore page, complete the following core configurations:
- Logstore Name: Must be unique within the project. Cannot be changed after creation.
- Logstore Type: Select Standard or Query based on your requirements.
- Billing Mode:
  - Pay-by-feature: Storage, indexing, and read/write operations are charged individually. Best for small-scale or unpredictable usage.
  - Pay-by-ingested-data: Billed by raw data volume. Includes 30-day free storage plus complimentary data transformation and delivery. Ideal for ~30-day retention or complex processing pipelines.
- Data Retention Period: Log retention in days (1–3,650). 3,650 = permanent. Default: 30 days.
- Keep the default settings for other configurations and click OK. For more information about other configurations, see Manage a logstore.

Step 1: Configure a machine group (Install LoongCollector)

After you complete the Preparations, install LoongCollector on your servers and add them to a machine group.

Note

These steps apply only to ECS instances in the same account and region as the SLS project.

For cross-account, cross-region, or on-premises scenarios, see Install and configure LoongCollector.

Procedure:

On the Logstores page, click the icon before the target logstore name to expand it.
Click the icon next to Data Collection, and in the Quick Data Import dialog box, select a text log collection template (such as Single Line - Text Log) and click Integrate Now.

All text log templates share the same configuration and differ only in parsing plugins. You can modify the configuration later.
On the Machine Group Configurations page, configure the following parameters:
- Scenario: Servers
- Installation Environment: ECS
- Select Machine Group: Based on the LoongCollector installation status and machine group configuration of the target server, select the corresponding operation:
  - If LoongCollector is already installed and added to a machine group, select the machine group from Source Machine Group and move it to Applied Server Groups.
  - If LoongCollector is not installed, click Create Machine Group:
    
    Follow these steps to install LoongCollector automatically and create a machine group.
    1. The system lists ECS instances in the same region as the project. Select the instances to collect logs from.
    2. Click Install and Create Machine Group. The system automatically installs LoongCollector on the selected ECS instances.
    3. Configure the machine group Name and click OK.
    Note
    If the installation fails or remains in a waiting state, check whether the ECS region is the same as the project region.
  - To add a server with LoongCollector already installed to an existing machine group, see the FAQ How do I add a server to an existing machine group?
Check the heartbeat status: Click Next. The Machine Group Heartbeat section appears. Check the Heartbeat status. If it is OK, the machine group connection is normal. Click Next to go to the Logtail configuration page.

If the status is FAIL, wait about two minutes and refresh. If still FAIL, see Machine group heartbeat is FAIL for further troubleshooting.

Step 2: Create and configure log collection rules

After completing LoongCollector installation and machine group configuration, go to the Logtail Configuration page to define collection and processing rules.

1. Global and input configurations

Define the name of the collection configuration and the source and scope of log collection.

Global Configurations:

Configuration Name: A custom name for the collection configuration. This name must be unique within the project and cannot be changed after it is created. Naming conventions:
- Can contain only lowercase letters, digits, hyphens (-), and underscores (_).
- Must start and end with a lowercase letter or a digit.

Input Configurations:

Type: Text Log Collection.
File Path: The log collection path.
- Linux: The path must start with a forward slash (/). For example, /data/mylogs/**/*.log indicates all files with the .log extension in the /data/mylogs directory and its subdirectories.
- Windows: The path must start with a drive letter. For example, C:\Program Files\Intel\**\*.Log.
Maximum Directory Monitoring Depth: The maximum depth of directories matched by the ** wildcard character in the File Path. The default value is 0, which indicates that only the current directory is monitored.

2. Log processing and structuring

Configure processing rules to structure raw logs into searchable key-value pairs. First, add a log sample:

In the Processor Configurations section of the Logtail Configuration page, click Add Sample Log and enter a sample log. The system identifies the format and generates parsing rules automatically.

Use case 1: Process multiline logs (such as Java stack logs)

Logs such as Java exception stacks span multiple lines. Without multiline mode, they are split into incomplete records. Enable multiline mode and set a Regex to Match First Line to merge consecutive lines into a single log.

Example:

Raw log without any processing	In default collection mode, each line is a separate log, breaking the stack trace and losing context	With multiline mode enabled, a Regex to Match First Line identifies the complete log, preserving its full semantic structure.

Procedure: In the Processor Configurations section of the Logtail Configuration page, enable Multi-line Mode:

For Type, select Custom or Multi-line JSON.
- Custom: For raw logs with a variable format, configure a Regex to Match First Line to identify the starting line of each log.
  - Regex to Match First Line: Automatically generate or manually enter a regular expression that matches a complete line of data. For example, the regular expression for the preceding example is \[\d+-\d+-\w+:\d+:\d+,\d+]\s\[\w+]\s.*.
    - Automatic generation: Click Generate. Then, in the Log Sample text box, select the log content that you want to extract and click Automatically Generate.
    - Manual entry: Click Manually Enter Regular Expression. After you enter the expression, click Validate.
- Multi-line JSON: SLS automatically handles line breaks within a single raw log if the log is in standard JSON format.

Processing Method If Splitting Fails:
- Discard: Discards a text segment if it does not match the start-of-line rule.
- Retain Single Line: Retains unmatched text on separate lines.

Use case 2: Structured logs

Raw logs in unstructured formats (such as NGINX access logs) are hard to query directly. SLS parsing plugins convert them into structured key-value pairs for analysis and alerting.

Example:

Raw log

Structured log

192.168.*.* - - [15/Apr/2025:16:40:00 +0800] "GET /nginx-logo.png HTTP/1.1" 0.000 514 200 368 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.*.* Safari/537.36"

body_bytes_sent: 368
http_referer: -
http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.x.x Safari/537.36
remote_addr:192.168.*.*
remote_user: -
request_length: 514
request_method: GET
request_time: 0.000
request_uri: /nginx-logo.png
status: 200
time_local: 15/Apr/2025:16:40:00

Procedure: In the Processor Configurations section of the Logtail Configuration page

Add a parsing plugin: Click Add Processor and configure a plugin such as regular expression parsing, separator parsing, or JSON parsing based on the actual format. This example uses NGINX log collection and selects Native Processor > Data Parsing (NGINX Mode).
NGINX Log Configuration: Copy the log_format definition from the NGINX server configuration file (nginx.conf) and paste it into this text box.

Example:
```
log_format main  '$remote_addr - $remote_user [$time_local] "$request" ''$request_time $request_length ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent"';
```
Important
The format definition here must be exactly the same as the format that generates the logs on the server. Otherwise, log parsing fails.
Description of common configuration parameters: The following parameters appear in multiple data parsing plugins and have a unified function and usage.
- Original Field: The source field to parse. Default: content (the entire collected log entry).
- Retain Original Field if Parsing Fails: Preserves the original log content when parsing fails (for example, due to a format mismatch).
- Retain Original Field if Parsing Succeeds: Retains the original log content even after successful parsing.

3. Log filtering

Low-value logs (DEBUG, INFO) waste storage, increase costs, reduce query efficiency, and risk data exposure. Use filtering to collect only relevant logs.

Reduce costs with content filtering

Filter fields based on log content, such as collecting only logs where the level is WARNING or ERROR.

Example:

Raw log without any processing

Collect only WARNING or ERROR logs

{"level":"WARNING","timestamp":"2025-09-23T19:11:40+0800","cluster":"yilu-cluster-0728","message":"Disk space is running low","freeSpace":"15%"}
{"level":"ERROR","timestamp":"2025-09-23T19:11:42+0800","cluster":"yilu-cluster-0728","message":"Failed to connect to database","errorCode":5003}
{"level":"INFO","timestamp":"2025-09-23T19:11:47+0800","cluster":"yilu-cluster-0728","message":"User logged in successfully","userId":"user-123"}

{"level":"WARNING","timestamp":"2025-09-23T19:11:40+0800","cluster":"yilu-cluster-0728","message":"Disk space is running low","freeSpace":"15%"}
{"level":"ERROR","timestamp":"2025-09-23T19:11:42+0800","cluster":"yilu-cluster-0728","message":"Failed to connect to database","errorCode":5003}

Procedure: In the Processor Configurations section of the Logtail Configuration page

Click Add Processor and select Native Processor > Data Filtering:

Field Name: The log field to use for filtering.
Field Value: The regular expression used for filtering. Only full matches are supported, not partial keyword matches.

Control collection scope with a blacklist

Use a blacklist to exclude specified directories or files, preventing irrelevant or sensitive logs from being uploaded.

Procedure: In the Input Configurations > Other Input Configurations section of the Logtail Configuration page, enable Collection Blacklist and click Add.

Supports full and wildcard matching for directories and filenames. The only supported wildcard characters are the asterisk (*) and the question mark (?).

File Path Blacklist: Specifies the file paths to exclude. Examples:
- /home/admin/private*.log: Ignores all files in the /home/admin/ directory that start with private and end with .log.
- /home/admin/private*/*_inner.log: Ignores files that end with _inner.log within directories that start with private under the /home/admin/ directory.
File Blacklist: A list of filenames to ignore during collection. Example:
- app_inner.log: Ignores all files named app_inner.log during collection.
Directory Blacklist: Directory paths cannot end with a forward slash (/). Examples:
- /home/admin/dir1/: The directory blacklist will not take effect.
- /home/admin/dir*: Ignores files in all subdirectories that start with dir under the /home/admin/ directory during collection.
- /home/admin/*/dir: Ignores all files in subdirectories named dir at the second level of the /home/admin/ directory. For example, files in the /home/admin/a/dir directory are ignored, but files in the /home/admin/a/b/dir directory are collected.

4. Log categorization

When logs from multiple applications or instances share the same format but have different paths (for example, /apps/app-A/run.log and /apps/app-B/run.log), topics help distinguish their sources for precise queries within a single logstore.

Procedure: Global Configurations > Other Global Configurations > Log Topic Type: Select a method for generating topics. The following three types are supported:

Machine Group Topic: When a collection configuration is applied to multiple machine groups, LoongCollector uses the server's machine group name as the __topic__ field. Suitable for dividing logs by host.
Custom: Uses the format customized://<custom_topic_name>, such as customized://app-login. This format is suitable for static topic use cases with fixed business identifiers.

File Path Extraction: Extract key information from the log file path to dynamically mark the log source. This is suitable when multiple users or applications share the same log filename but differ in path:

/data/logs
├── userA
│   └── serviceA
│       └── service.log
├── userB
│   └── serviceA
│       └── service.log
└── userC
    └── serviceA
        └── service.log

Configure File Path Extraction and use a regular expression to extract key information from the full path. The matched result is then uploaded to the logstore as the topic.

File path extraction rule: Based on regular expression capturing groups

When you configure a regular expression, the system automatically determines the output field format based on the number and naming of capturing groups. The rules are as follows:

In the regular expression for a file path, you must escape the forward slash (/).

Capturing group type	Use case	Generated field	Regex example	Matching path example	Generated field example
Single capturing group (only one `(.*?)`)	Only one dimension is needed to distinguish the source (such as username or environment)	Generates the `__topic__` field	`\/logs\/(.*?)\/app\.log`	`/logs/userA/app.log`	`__topic__: userA`
Multiple capturing groups - unnamed (multiple `(.*?)`)	Multiple dimensions are needed to distinguish the source, but no semantic tags are required	Generates a tag field `__tag__:__topic_{i}__`, where `{i}` is the ordinal number of the capturing group	`\/logs\/(.?)\/(.?)\/app\.log`	`/logs/userA/svcA/app.log`	`__tag__:__topic_1__userA` `__tag__:__topic_2__svcA`
Multiple capturing groups - named (using `(?P<name>.*？)`	Multiple dimensions are needed to distinguish the source, and the field meanings should be clear for easy querying and analysis	Generates a tag field `__tag__:{name}`	`\/logs\/(?P<user>.?)\/(?P<service>.?)\/app\.log`	`/logs/userA/svcA/app.log`	`__tag__:user:userA`; `__tag__:service:svcA`

5. Output configuration

By default, all logs are sent to the current logstore with lz4 compression. To send logs from the same source to different logstores:

Dynamic distribution to multiple targets

Important

Sending logs to multiple targets is available only for LoongCollector 3.0.0 and later. This feature is not supported by Logtail.
Up to five output targets can be configured.
After you configure multiple output targets, the collection configuration is no longer visible in the collection configuration list of the current logstore. To view, modify, or delete the multi-target distribution configuration, see How do I manage multi-target distribution configurations?

Procedure: In the Output Configurations section of the Logtail Configuration page

Click to expand the output configuration.
Click Add Output Targets and configure the following settings:
- Logstore: Select the target logstore.
- Compression Method: Select lz4 or zstd.
- Route Settings: Routes logs based on tag fields. Logs that match the routing rules are sent to the target logstore. If this configuration is empty, all collected logs are sent to the target logstore.
  - Tag Name: The name of the tag field used for routing. Enter the field name directly, such as __path__, without the __tag__: prefix. Tag fields fall into two categories:
    
    For more information about tags, see Manage LoongCollector tags.
    - Agent-related: These tags are related to the collection agent and are independent of any plugins. Examples include __hostname__ and __user_defined_id__.
    - Input plugin-related: These tags depend on the input plugin, which adds and enriches the log with relevant information. Examples include __path__ for file collection, and _pod_name_ and _container_name_ for Kubernetes collection.
  - Tag Value: If a log's tag value matches this value, the log is sent to this target logstore.
  - Discard this tag?: If you enable this option, this tag field is removed from the uploaded logs.

Step 3: Query and analysis configuration

After configuring log processing and plugins, click Next to go to the Query and Analysis Configurations page:

Full-text index is enabled by default, which supports keyword searches on raw log content.
For precise queries by field, wait for the Preview Data to load, and then click Automatic Index Generation. SLS generates a field index based on the first entry in the preview data.

After the configuration is complete, click Next to finish setting up the entire collection process.

Step 4: Verification and troubleshooting

After saving the configuration and applying it to the machine group, verify log collection with the following checklist.

Verification checklist

Confirm that the log file has new content: LoongCollector collects only incremental logs. Run tail -f /path/to/your/log/file and trigger a business operation to ensure that new logs are being written.
Check the LoongCollector status: sudo /etc/init.d/loongcollectord status.
Check the machine group heartbeat: Go to the Resources > Machine Groups page. Click the target machine group name. In the Machine Group Configurations > Machine Group Status section, check the Heartbeat status.
- If the heartbeat is OK, the machine group is connected to the SLS project.
- If the heartbeat is FAIL, see Machine group heartbeat is FAIL for troubleshooting.
Query logs: Go to the query and analysis page of the target logstore. Click Search & Analyze (the default time range is the last 15 minutes) and check whether new logs are flowing in.

Troubleshooting common issues

Machine group heartbeat is FAIL

Check the user ID: If your server is not an ECS instance, or if the ECS instance and the project belong to different Alibaba Cloud accounts, check whether the correct user ID exists in the specified directory. If it does not, run the following command to create it manually.
- Linux: Run the cd /etc/ilogtail/users/ && touch <uid> command to create the user ID file.
- Windows: Go to the C:\LogtailData\users\ directory and create an empty file named <uid>.
Check the machine group ID: If you used a custom ID when you created the machine group, check whether the user_defined_id file exists in the specified directory. If it exists, check whether the content of the file is consistent with the custom ID configured for the machine group.
- Linux:
```
# Configure a custom ID. If the directory does not exist, create it manually.
echo "user-defined-1" > /etc/ilogtail/user_defined_id
```
- Windows: In the C:\LogtailData directory, create a new file named user_defined_id and write the custom ID to it. (If the directory does not exist, create it manually.)
If both the user ID and the machine group ID are configured correctly, see Troubleshooting LoongCollector (Logtail) machine group issues for further investigation.

No data is collected

Check for incremental logs: LoongCollector (Logtail) collects only incremental logs. If no new logs are added to the target file, no data is collected.
Check the machine group heartbeat status: Go to the Resources > Machine Groups page. Click the target machine group name. In the Machine Group Configurations > Machine Group Status section, check the Heartbeat status.
- If the heartbeat is OK, the machine group is connected to the SLS project.
- If the heartbeat is FAIL, see Machine group heartbeat is FAIL for troubleshooting.
Confirm the collection configuration is applied to the machine group: A collection configuration that is not applied to a machine group cannot collect logs.
1. Go to the Resources > Machine Groups page, click the target machine group name, and go to the Machine Group Configurations page.
2. On the page, view Manage Configuration. The left side shows All Logtail Configurations, and the right side shows Applied Logtail Configs. If the target LoongCollector (Logtail) collection configuration has been moved to the applied area on the right, the configuration has been successfully applied to the target machine group.
3. If the target LoongCollector (Logtail) collection configuration has not been moved to the applied area on the right, click Modify. In the All Logtail Configurations list on the left, select the target LoongCollector (Logtail) configuration name, click to move it to the applied area on the right, and then click Save.

Log collection errors or format errors

Network and basic configuration are normal. The problem is likely a mismatch between log content and parsing rules:

On the Logtail Configuration page, click the name of the LoongCollector (Logtail) configuration that has a collection error. On the Log Collection Error tab, click Select Time Range to set the query time.
In the Collection Exception Monitoring > Complete Error Information section, view the alarm metric of the error log and find the corresponding solution in Common errors in data collection.

Limitations

Item	Limitations
Length of a single log	The default limit is 512 KB. Adjust this using the max_read_buffer_size startup parameter, up to a maximum of 8 MB. For more information, see Logtail parameters and configuration files. After a multiline log is split by the Regex to Match First Line, the size limit for each log is still 512 KB. If a log exceeds 512 KB, it is forcibly split into multiple entries for collection. For example, if a single log is 1,025 KB, the first 512 KB is processed, then the next 512 KB, and finally the remaining 1 KB. The final result is multiple incomplete log entries.
File encoding	Supports log files with UTF-8 or GBK encoding. Use UTF-8 for better processing performance. Warning If the log file uses another encoding format, issues such as garbled characters and data loss may occur.
Log file rotation	The default size of the log rotation queue is 20. Adjust this using the logreader_max_rotate_queue_size startup parameter. For more information, see Logtail parameters and configuration files. Set the collection path to `xxx.log` or `xxx.log` format. Important* Do not mix these two formats in the same Logtail instance. Otherwise, the same file may match multiple Logtail collection configurations, which results in duplicate collection. If more than 20 files are not yet processed, newly generated logs will be lost. In such cases, first check whether the logstore shard write quota is exceeded and adjust the Logtail concurrency level. For more information, see Logtail parameters and configuration files. For more information, see the related technical article.
Collection behavior when log parsing is blocked	When log parsing is blocked, Logtail keeps the log file descriptor open to prevent the file from being deleted, which would cause data loss. If multiple log file rotations occur while parsing is blocked, Logtail places the files in the rotation queue.
Regular expression	Supports Perl Compatible Regular Expressions (PCRE).
JSON	Fully supports standard JSON (RFC7159, ECMA-404). Non-standard JSON, such as `{"name": "\xE5\xAD\xA6"}`, is not supported.
File opening behavior	Logtail keeps the collected file and the files in the rotation queue open to ensure data integrity. The file is closed in the following situations: The file has not been modified for more than 5 minutes. Rotation has occurred and collection is complete. The Logtail collection configuration has changed. To release the file handle within a set time after the file is deleted, configure the force_release_deleted_file_fd_timeout startup parameter. For more information, see Logtail parameters and configuration files.
Initial log collection behavior	Logtail collects only incremental logs. When a file is first detected as modified, if it exceeds 1 MB (512 KB for container standard output), collection starts from the last 1 MB. Otherwise, collection starts from the beginning. Adjust the initial collection size for new files using the tail_size_kb parameter in the Logtail collection configuration. For more information, see Logtail Configuration (legacy). If the log file is not modified after the Logtail collection configuration is applied, Logtail does not collect that file. To collect historical files, see Import historical log files.
Behavior when a file is overwritten	Logtail identifies files using the inode plus a hash of the first 1,024 bytes. If a file is overwritten and either value changes, it is treated as a new file and collected from the beginning. Otherwise, it is skipped.
Behavior when a file is moved	After a file is moved, if it matches a Logtail configuration that has never matched this file before, it is treated as a new file and collected from the beginning. Otherwise, it is skipped.
File collection history	Logtail keeps file collection history in memory to ensure only incremental data is collected. If a write targets a log outside the retention range, duplicate collection may occur. By default, historical files from the last month are retained. If there are more than 5,000 historical files in the same directory, only records from the last week are kept. If there are more than 10,000 historical files in the same directory, only records from the last day are kept.
Non-standard text logs	For lines in logs that contain `\0`, versions later than 2.1.10 and 3.0.12 retain only the `\0` in the middle of the log. The prefix and suffix `\0` parts are discarded. Other versions may truncate at the first `\0` or retain it completely. Upgrade to the latest version to avoid this issue. For other escape characters (such as ASCII colors) or invisible characters, Logtail reports them as is.

Billing

Installing LoongCollector or Logtail is free of charge.
Log ingestion, storage, indexing, queries, transformation, and shipping are charged based on the logstore's billing mode.
If you enable Global Accelerator during installation or configuration, additional traffic fees apply for data transmitted over the accelerated network.

FAQ

How do I manage multi-target distribution configurations?

Multi-target distribution configurations are associated with multiple logstores. Manage them from the project-level page:

Log on to the Simple Log Service console and click the name of the target project.
On the project page, choose Resources > Configurations from the navigation pane on the left.

Note
This page provides centralized management for all collection configurations in the project, including those left behind after logstore deletion.

How do I send logs from an ECS server to a project in another Alibaba Cloud account?

If you have not installed LoongCollector, see Install LoongCollector on Linux and select the appropriate cross-account use case for installation.

If LoongCollector is already installed, configure a user ID to authorize the SLS project owner to access and collect logs from this server.

Configure a user ID only when collecting logs from non-account ECS instances, on-premises servers, or third-party cloud servers.

Copy the ID of the Alibaba Cloud account that owns SLS: Hover your mouse over the profile picture in the upper-right corner. View and copy the account ID from the tab that appears.

Log on to the server from which you want to collect logs and create an Alibaba Cloud account ID file to configure the user ID:

touch /etc/ilogtail/users/{Alibaba_Cloud_account_ID} # If the /etc/ilogtail/users directory does not exist, create it manually. The user ID configuration file only needs a filename, not a file extension.

How do I send logs from an ECS server to a project in the same account but a different region?

If you have not installed LoongCollector, see Install LoongCollector on Linux and select the appropriate cross-region use case for installation.

If LoongCollector is already installed, modify its configuration.

Run the sudo /etc/init.d/ilogtaild stop command to stop LoongCollector.
Modify the LoongCollector startup configuration file ilogtail_config.json. Choose one of the following two methods based on your network requirements:

Configuration file path: /usr/local/ilogtail/ilogtail_config.json
- Method 1: Use the Internet for transmission
  
  See RegionID and replace the region in the configuration file with the region where SLS is located. The fields to modify include the following:
  - primary_region
  - The region part in config_servers
  - The region and the region part of endpoint_list in data_servers
- Method 2: Use transfer acceleration
  
  Replace the endpoint line in the data_server_list parameter with log-global.aliyuncs.com. For the file path, see Logtail parameters and configuration files.
Configuration file example
```
$cat 
{
    "primary_region" : "cn-shanghai",
    "config_servers" :
    [
        "http://logtail.cn-shanghai.log.aliyuncs.com"
    ],
    "data_servers" :
    [
        {
            "region" : "cn-shanghai",
            "endpoint_list": [
                "cn-shanghai.log.aliyuncs.com"
            ]
        }
    ],
    "cpu_usage_limit" : 0.4,
    "mem_usage_limit" : 384,
    "max_bytes_per_sec" : 20971520,
    "bytes_per_sec" : 1048576,
    "buffer_file_num" : 25,
    "buffer_file_size" : 20971520,
    "buffer_map_num" : 5
}
```

Run the sudo /etc/init.d/ilogtaild start command to start LoongCollector.

How do I add a server to an existing machine group?

To add a new server (such as a new ECS instance or on-premises server) to an existing machine group so it inherits the collection configuration, follow these steps.

Prerequisites:

A configured machine group already exists.
The new server has LoongCollector installed.

Procedure:

View the target machine group ID:
1. On the target project page, click Resources > Machine Groups in the navigation pane on the left.
2. On the Machine Groups page, click the target machine group name.
3. On the machine group configuration page, view the machine group ID.
Perform the corresponding operation based on the ID type:

Note
A single machine group cannot contain both Linux and Windows servers. Do not configure the same custom ID on both Linux and Windows servers. A server can be configured with multiple custom IDs, separated by line feeds.
- Type 1: Machine group ID is an IP address
  1. On the server, run the following command to open the app_info.json file and view the ip value.
```
cat /usr/local/ilogtail/app_info.json
```
  2. On the target machine group configuration page, click Modify and enter the server's IP address. Separate multiple IP addresses with line feeds.
  3. After the configuration is complete, click Save and confirm the heartbeat status. After the heartbeat is OK, the server automatically applies the machine group's collection configuration.
    
    If the heartbeat status is FAIL, see the FAQ Machine group heartbeat is FAIL for further troubleshooting.
- Type 2: Machine group ID is a custom ID
  
  Depending on the operating system, write the custom ID string that matches the target machine group to the specified file:
  
  If the directory does not exist, you must create it manually. The file path and name are fixed by SLS and cannot be customized.
  - Linux: Write the custom string to the /etc/ilogtail/user_defined_id file.
  - Windows: Write the custom string to C:\LogtailData\user_defined_id.

How do I import a collection configuration from another project?

After completing Preparations and Machine Group Configuration, import a collection configuration from an existing project into the current logstore to avoid repetitive setup.

Procedure:

After you complete the machine group configuration, click Next to go to the Logtail Configuration page.
Click Import Other Configuration in the upper-right corner of the page.
Select the project to import from and the collection configuration under that project.
Click OK. The system automatically loads the selected configuration.
After you check that the imported configuration information is correct, click Next to go to the Query and Analysis Configurations page and complete the subsequent configuration.

How do I get a server's IP address to use as a machine group ID?

On a server where LoongCollector (Logtail) is installed, open the /usr/local/ilogtail/app_info.json file and view the ip value.

The server IP address automatically obtained by Logtail is recorded in the ip field of the app_info.json file, as shown below.

Important

If there are multiple servers, enter their corresponding IP addresses manually. IP addresses must be separated by line feeds.
A single machine group cannot contain both Linux and Windows servers. Do not add the IP addresses of both Windows and Linux servers to the same machine group.

How can the same log file be collected by multiple collection configurations at the same time?

By default, each text log file can match only one Logtail configuration. To allow multiple configurations to collect the same file, enable multi-collection.

Procedure:

Important

When you collect multiple copies, the file read IO, computing resources, and network IO increase linearly.

Log on to the Simple Log Service console and go to the target project.
In the navigation pane on the left, choose Logstores and find the target logstore.
Click the icon before its name to expand the logstore.
Click Logtail Configuration. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit:
- In Input Configurations > Other Input Configurations, enable Allow File to Be Collected for Multiple Times.
After the configuration is complete, click Save.

Why is the last log entry reported after a long delay? Why is it sometimes truncated?

Cause: This usually occurs when a log file is missing a trailing line feed, or when a multiline log (such as an exception stack) has not been fully written. The agent cannot determine whether the log has ended, so the last content may be split prematurely or delayed. Different LoongCollector (Logtail) versions handle this differently:

Versions before 1.8:
If the last line of a log does not have a line feed (carriage return), or if a multiline log paragraph is not finished, the agent waits for the next write to trigger an output. This can cause the last log entry to be held for a long time without being sent, until a new log is written.
Version 1.8 and later:
A timeout refresh mechanism was introduced to prevent logs from getting stuck. When an incomplete log line is detected, the system starts a timer. After the timeout, it automatically submits the current content, which ensures the log is eventually collected.
- Default timeout: 60 seconds (to ensure completeness in most use cases)
- Adjust this value as needed, but do not set it to 0, as this may cause log truncation or partial content loss.

Solution:

Extend the waiting time to ensure the complete log is written before it is collected:

Log on to the Simple Log Service console and go to the target project.
In the navigation pane on the left, choose Logstores and find the target logstore.
Click the icon before its name to expand the logstore.
Click Logtail Configuration. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit:
- In Input Configurations > Other Input Configurations > Advanced Parameters, add the following JSON configuration to customize the timeout:
```
{
  "FlushTimeoutSecs": 1
}
```
  - Default value: Determined by the startup parameter default_reader_flush_timeout (usually a few seconds).
  - Unit: Seconds.
  - Recommended value: ≥1 second. Do not set it to 0, as this may cause log truncation or partial content loss.
After the configuration is complete, click Save.

Why does LoongCollector (Logtail) switch from an internal endpoint to the Internet during operation? Can it switch back automatically?

If LoongCollector (Logtail) detects a communication failure with the internal same-region endpoint (network failure or connection timeout), it automatically switches to the public endpoint to maintain log collection continuity.

LoongCollector: Automatically switches back to the internal network after it recovers.
Logtail: Does not switch back automatically. It must be manually restarted to resume internal network communication.

Appendix: Details of native processors

In the Processor Configurations section of the Logtail Configuration page, add processors to structure raw logs. To add a processing plugin to an existing configuration:

In the navigation pane on the left, choose Logstores and find the target logstore.
Click the icon before its name to expand the logstore.
Click Logtail Configuration. In the configuration list, find the target Logtail configuration and click Manage Logtail Configuration in the Actions column.
On the Logtail configuration page, click Edit.

This section introduces only commonly used processing plugins that cover common log processing use cases. For more features, see Extended processors.

Important

Rules for combining plugins (for LoongCollector / Logtail 2.0 and later):

Native and extended processors can be used independently or combined as needed.
Prioritize native processors because they offer better performance and stability.
When native features cannot meet your business needs, add extended processors after the configured native ones for supplementary processing.

Order constraint:

Plugins run sequentially in configured order, forming a processing chain. All native processors must precede any extended processors. After adding an extended processor, you cannot add more native processors.

Regular expression parsing

Extract log fields using a regular expression and parse the log into key-value pairs. Each field can be independently queried and analyzed.

Example:

Raw log without any processing

Using the regular expression parsing plugin

127.0.0.1 - - [16/Aug/2024:14:37:52 +0800] "GET /wp-admin/admin-ajax.php?action=rest-nonce HTTP/1.1" 200 41 "http://www.example.com/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0"

body_bytes_sent: 41
http_referer: http://www.example.com/wp-admin/post-new.php?post_type=page
http_user_agent: Mozilla/5.0 (Windows NT 10.0; Win64; ×64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
remote_addr: 127.0.0.1
remote_user: -
request_method: GET
request_protocol: HTTP/1.1
request_uri: /wp-admin/admin-ajax.php?action=rest-nonce
status: 200
time_local: 16/Aug/2024:14:37:52 +0800

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Parsing (Regex Mode):

Regular Expression: The expression used to match logs. Generate it automatically or enter it manually:
- Automatic generation:
  - Click Generate.
  - In the Log Sample, select the log content to extract.
  - Click Generate Regular Expression.
- Manual entry: Manually Enter Regular Expression based on the log format.
After configuration, click Validate to test whether the regular expression can correctly parse the log content.
Extracted Field: The field name (Key) that corresponds to the extracted log content (Value).
For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

Separator parsing

Structure log content using a separator to parse it into multiple key-value pairs. Both single-character and multi-character separators are supported.

Example:

Raw log without any processing

Fields split by the specified character ,

05/May/2025:13:30:28,10.10.*.*,"POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1",200,18204,aliyun-sdk-java

ip:10.10.*.*
request:POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=****************&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=******************************** HTTP/1.1
size:18204
status:200
time:05/May/2025:13:30:28
user_agent:aliyun-sdk-java

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Parsing (Delimiter Mode):

Delimiter: Specifies the character used to split log content.

Example: For a CSV file, select Custom and enter a comma (,).
Quote: If a field value contains the separator, you must enclose the field value in quotes to prevent incorrect splitting.
Extracted Field: Specify the field name (Key) for each column in the order that they appear. The rules are as follows:
- Field names can contain only letters, digits, and underscores (_).
- Must start with a letter or an underscore (_).
- Maximum length: 128 bytes.
For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

Standard JSON parsing

Structure an Object-type JSON log by parsing it into key-value pairs.

Example:

Raw log without any processing

Automatic extraction of standard JSON key-value pairs

{"url": "POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek********&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1", "ip": "10.200.98.220", "user-agent": "aliyun-sdk-java", "request": {"status": "200", "latency": "18204"}, "time": "05/Jan/2025:13:30:28"}

ip: 10.200.98.220
request: {"status": "200", "latency" : "18204" }
time: 05/Jan/2025:13:30:28
url: POST /PutData?Category=YunOsAccountOpLog&AccessKeyId=U0Ujpek******&Date=Fri%2C%2028%20Jun%202013%2006%3A53%3A30%20GMT&Topic=raw&Signature=pD12XYLmGxKQ%2Bmkd6x7hAgQ7b1c%3D HTTP/1.1
user-agent:aliyun-sdk-java

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Parsing (JSON Mode):

Original Field: The field that contains the raw log to be parsed. The default value is content.
For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

Nested JSON parsing

Parse a nested JSON log into key-value pairs by specifying the expansion depth.

Example:

Raw log without any processing

Expansion depth: 0, using expansion depth as a prefix

Expansion depth: 1, using expansion depth as a prefix

{"s_key":{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}}

0_s_key_k1_k2_k3_k41:41
0_s_key_k1_k2_k3_k4_k51:51
0_s_key_k1_k2_k3_k4_k52:52

1_s_key:{"k1":{"k2":{"k3":{"k4":{"k51":"51","k52":"52"},"k41":"41"}}}}

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Extended Processor > Expand JSON Field:

Original Field: Specifies the name of the source field to expand, such as content.
JSON Expansion Depth: The expansion depth of the JSON object, where 0 (the default) indicates full expansion, 1 indicates expansion of the current level, and so on.
Character to Concatenate Expanded Keys: The separator for field names when a JSON object is expanded. The default value is an underscore (_).
Name Prefix of Expanded Keys: The prefix for field names after JSON expansion.
Expand Array: Expands an array into key-value pairs with indexes.

Example: {"k":["a","b"]} is expanded to {"k[0]":"a","k[1]":"b"}.

To rename the expanded fields (for example, from prefix_s_key_k1 to new_field_name), add a rename fields plugin afterward to complete the mapping.
For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

JSON array parsing

Use the json_extract function to extract JSON objects from a JSON array.

Example:

Raw log without any processing	Extract JSON array structure
`[{"key1":"value1"},{"key2":"value2"}]`	`json1:{"key1":"value1"} json2:{"key2":"value2"}`

Procedure: In the Processor Configurations section of the Logtail Configuration page, switch the Processing Mode to SPL, configure the SPL Statement, and use the json_extract function to extract JSON objects from the JSON array.

Example: Extract elements from the JSON array in the log field content and store the results in new fields json1 and json2.

* | extend json1 = json_extract(content, '$[0]'), json2 = json_extract(content, '$[1]')

Apache log parsing

Structure the log content into multiple key-value pairs based on the definition in the Apache log configuration file.

Example:

Raw log without any processing

Apache Common Log Format combined parsing

1 192.168.1.10 - - [08/May/2024:15:30:28 +0800] "GET /index.html HTTP/1.1" 200 1234 "https://www.example.com/referrer" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36"

http_referer:https://www.example.com/referrer
http_user_agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.X.X Safari/537.36
remote_addr:192.168.1.10
remote_ident:-
remote_user:-
request_method:GET
request_protocol:HTTP/1.1
request_uri:/index.html
response_size_bytes:1234
status:200
time_local:[08/May/2024:15:30:28 +0800]

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Parsing (Apache Mode):

The Log Format is combined.
The APACHE LogFormat Configuration are automatically populated based on the Log Format.

Important
Make sure to verify the auto-filled content to ensure it is exactly the same as the LogFormat defined in your server's Apache configuration file (usually located at /etc/apache2/apache2.conf).
For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

IIS log parsing

Structure the log content into multiple key-value pairs based on the IIS log format definition.

Comparison example:

Raw log

Adaptation for Microsoft IIS server-specific format

#Fields: date time s-sitename s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

c-ip: cs-username
cs-bytes: sc-substatus
cs-method: cs-method
cs-uri-query: cs-uri-query
cs-uri-stem: cs-uri-stem
cs-username: s-port
date: #Fields:
s-computername: s-sitename
s-ip: s-ip
s-sitename: time
sc-bytes: sc-status
sc-status: c-ip
sc-win32-status: cs (User-Agent)
time: date
time-taken: sc-win32-status

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Parsing (IIS Mode):

Log Format: Select the log format for your IIS server.
- IIS: The log file format for Microsoft Internet Information Services.
- NCSA: Common Log Format.
- W3C refers to the W3C Extended Log File Format.

IIS Configuration Fields: When you select IIS or NCSA, SLS uses the default IIS configuration fields. When you select W3C, you must set the fields to the value of the logExtFileFlags parameter in your IIS configuration file. For example:

logExtFileFlags="Date, Time, ClientIP, UserName, SiteName, ComputerName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, BytesSent, BytesRecv, TimeTaken, ServerPort, UserAgent, Cookie, Referer, ProtocolVersion, Host, HttpSubStatus"

For other parameters, see the description of common configuration parameters in Use case 2: Structured logs.

Data masking

Mask sensitive data in logs.

Example:

Raw log without any processing

Masking result

[{'account':'1812213231432969','password':'04a23f38'}, {'account':'1812213685634','password':'123a'}]

[{'account':'1812213231432969','password':'********'}, {'account':'1812213685634','password':'********'}]

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Data Masking:

Original Field: The field that contains the log content before parsing.
Data Masking Method:
- const: Replaces sensitive content with a constant string.
- md5: Replaces sensitive content with its MD5 hash.
Replacement String: If Data Masking Method is set to const, enter a string to replace the sensitive content.
Content Expression that Precedes Replaced Content: The expression used to find sensitive content, which is configured using RE2 syntax.
Content Expression to Match Replaced Content: The regular expression used to match sensitive content. The expression must be written in RE2 syntax.

Time parsing

Parse the time field in the log and set the parsing result as the log's __time__ field.

Example:

Raw log without any processing	Time parsing
`{"level":"INFO","timestamp":"2025-09-23T19:11:47+0800","cluster":"yilu-cluster-0728","message":"User logged in successfully","userId":"user-123"}`

Procedure: In the Processor Configurations section of the Logtail Configuration page, click Add Processor and select Native Processor > Time Parsing:

Original Field: The field that contains the log content before parsing.
Time Format: Set the time format that corresponds to the timestamps in the log.
Time Zone: Select the time zone for the log time field. By default, this is the time zone of the environment where the LoongCollector (Logtail) process is running.

Appendix: Permission policy reference

Alibaba Cloud account logon: Has full permissions by default.

RAM user logon: The Alibaba Cloud account must grant the required access policies to the RAM user.

Custom permission policies (fine-grained control)

If system policies do not meet the principle of least privilege, create custom policies for fine-grained authorization. Example policy with the following permissions:

View projects: View the project list and the details of a specified project.
Manage logstores: Create, modify, or delete logstores under a project.
Manage collection configuration: Create, delete, and modify collection configurations.
View logs: Query and analyze data in a specified logstore under a specified project.

Replace ${regionName}, ${uid}, ${projectName}, and ${logstoreName} with the actual region name, Alibaba Cloud account ID, target project, and logstore.

Example policy

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "log:ListProject",
        "log:GetAcceleration",
        "log:ListDomains",
        "log:GetLogging",
        "log:ListTagResources"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetProject",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:ListLogStores",
        "log:*LogStore",
        "log:*Index",
        "log:ListShards",
        "log:GetCursorOrData",
        "log:GetLogStoreHistogram",
        "log:GetLogStoreContextLogs",
        "log:PostLogStoreLogs"
      ],
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:*",
      "Resource": [
        "acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/*",
        "acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "log:ListSavedSearch",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:ListDashboard",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/dashboard/*"
    },
    {
      "Effect": "Allow",
      "Action": "log:GetLogStoreLogs",
      "Resource": "acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeTagKeys",
        "ecs:DescribeTags",
        "ecs:DescribeInstances",
        "ecs:DescribeInvocationResults",
        "ecs:RunCommand",
        "ecs:DescribeInvocations",
        "ecs:InvokeCommand"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "oos:ListTemplates",
        "oos:StartExecution",
        "oos:ListExecutions",
        "oos:GetExecutionTemplate",
        "oos:ListExecutionLogs",
        "oos:ListTaskExecutions"
      ],
      "Resource": "*"
    }
  ]
}

Permission	Action	Resource
Read-only Project	GetAcceleration GetLogging ListProject ListDomains ListTagResources	`acs:log:${regionName}:${uid}:project/*`
Get a specified project	`GetProject`	`acs:log:${regionName}:${uid}:project/${projectName}`
Manage logstores	ListLogStores LogStore Index ListShards GetCursorOrData GetLogStoreHistogram GetLogStoreContextLogs PostLogStoreLogs	`acs:log:${regionName}:${uid}:project/${projectName}/*`
Manage LoongCollector (Logtail) data import	`*`	`acs:log:${regionName}:${uid}:project/${projectName}/logtailconfig/` `acs:log:${regionName}:${uid}:project/${projectName}/machinegroup/`
Query saved searches	`ListSavedSearch`	`acs:log:${regionName}:${uid}:project/${projectName}/savedsearch/*`
Query dashboards	`ListDashboard`	`acs:log:${regionName}:${uid}:project/${projectName}/dashboard/*`
Query logs in a specified logstore	`GetLogStoreLogs`	`acs:log:${regionName}:${uid}:project/${projectName}/logstore/${logstoreName}`
Permissions to operate ECS	DescribeTagKeys DescribeTags DescribeInstances DescribeInvocationResults RunCommand DescribeInvocations InvokeCommand	`*`
Permissions to operate OOS (Optional) Required only when LoongCollector (Logtail) is automatically installed via OOS in the same account and region as the SLS and ECS instance.	ListTemplates StartExecution ListExecutions GetExecutionTemplate ListExecutionLogs ListTaskExecutions	`*`

System permission policies

If you use system-defined policies, add the following permissions:

AliyunLogFullAccess: Permission to manage SLS.
AliyunECSFullAccess: Permission to manage ECS.
(Optional) AliyunOOSFullAccess: Required when LoongCollector (Logtail) is installed with one click using OOS.

More information

Global Configurations

Parameter	Description
Configuration Name	The name of the LoongCollector (Logtail) configuration. It must be unique within its project. The name cannot be changed after creation.
Log Topic Type	Select the method for generating the topic. The options are Machine Group Topic, File Path Extraction, and Custom.
Advanced Parameters	Optional advanced parameters for the global configuration. See CreateLogtailPipelineConfig.

Input Configurations

Parameter	Description
File Path	Set the log directory and filename based on the log's location on the host (such as an ECS instance): Both directory and filenames support full and wildcard modes. For filename rules, see Wildcard matching. The only supported wildcard characters for log paths are the asterisk () and the question mark (?). Log file search uses multilayer directory matching — all files meeting the criteria in the specified directory and its subdirectories are matched. For example: `/apsara/nuwa//.log` indicates files with the .log extension in the `/apsara/nuwa` directory and its subdirectories. `/var/logs/app_//.log` indicates files with the `.log` extension in all directories that match the `app_` format under the `/var/logs` directory and their subdirectories. `/var/log/nginx//access` indicates files that start with `access` in the `/var/log/nginx` directory and its subdirectories.
Maximum Directory Monitoring Depth	Set the maximum depth to which log directories are monitored. This is the maximum directory depth that the wildcard character `` in the File Path** can match. A value of 0 means only the current directory is monitored.
File Encoding	Select the encoding format of the log file.
First Collection Size	When the configuration first takes effect, this sets the starting collection position relative to the end of the matched file. The initial collection size is set to 1,024 KB. During initial collection, if the file is smaller than 1,024 KB, collection starts from the beginning of the file content. During initial collection, if the file is larger than 1,024 KB, collection starts from 1,024 KB before the end of the file. The value can range from 0 to 10,485,760 KB.
Collection Blacklist	After you enable the Collection Blacklist switch, configure a blacklist to ignore specified directories or files during collection. Full and wildcard matching for directories and filenames are supported. The only supported wildcard characters are the asterisk () and the question mark (?). Important* If you use a wildcard character when configuring the File Path but need to filter out some of those paths, you must enter the corresponding full path in the Collection Blacklist to ensure the blacklist configuration takes effect. For example, if you set the File Path to `/home/admin/app/log/.log` but want to filter all subdirectories under the `/home/admin/app1` directory, you must select Directory Blacklist* and configure the directory as `/home/admin/app1/`. If you configure it as `/home/admin/app1`, the blacklist will not take effect. Matching against a blacklist has a computational overhead. Keep the number of blacklist entries under 10. The directory path cannot end with a forward slash (/). For example, if you set the path to `/home/admin/dir1/`, the directory blacklist will not take effect. Set a file path blacklist, file blacklist, or directory blacklist as needed. The details are as follows: File Path Blacklist Select File Path Blacklist and configure the path as `/home/admin/private.log`. This ignores all files in the `/home/admin/` directory that start with private and end with .log. Select File Path Blacklist* and configure the path as `/home/admin/private/_inner.log`. This ignores files that end with _inner.log within directories that start with private under the `/home/admin/` directory. For example, the `/home/admin/private/app_inner.log` file is ignored, while the `/home/admin/private/app.log` file is collected. File Blacklist Select File Blacklist and configure the filename as `app_inner.log`. This ignores all files named `app_inner.log` during collection. Directory Blacklist Select Directory Blacklist and configure the directory as `/home/admin/dir1`. This ignores all files in the `/home/admin/dir1` directory during collection. Select Directory Blacklist and configure the directory as `/home/admin/dir`. This ignores files in all subdirectories that start with dir under the `/home/admin/` directory. Select Directory Blacklist* and configure the directory as `/home/admin/*/dir`. This ignores all files in subdirectories named dir at the second level of the `/home/admin/` directory. For example, files in the `/home/admin/a/dir` directory are ignored, but files in the `/home/admin/a/b/dir` directory are collected.
Allow File to Be Collected for Multiple Times	By default, a log file can only match one LoongCollector (Logtail) configuration. If the logs in a file need to be collected multiple times, you must enable the Allow File to Be Collected for Multiple Times switch.
Advanced Parameters	Optional advanced parameters for the file input plugin. See CreateLogtailPipelineConfig.

Processor Configurations

Parameter	Description
Log Sample	A sample of the log to be collected. Be sure to use a log from your actual use case. The log sample helps you configure log processing parameters and simplifies the configuration. Multiple samples can be added, with a total length not exceeding 1,500 characters. `[2023-10-01T10:30:01,000] [INFO] java.lang.Exception: exception happened at TestPrintStackTrace.f(TestPrintStackTrace.java:3) at TestPrintStackTrace.g(TestPrintStackTrace.java:7) at TestPrintStackTrace.main(TestPrintStackTrace.java:16)`
Multi-line Mode	Type of multiline log: A multiline log spans consecutive lines. You must distinguish each log entry from the content. Custom: Distinguish each log using a Regex to Match First Line. Multi-line JSON: Each JSON object is expanded into multiple lines, for example: `{ "name": "John Doe", "age": 30, "address": { "city": "New York", "country": "USA" } }` Processing Method If Splitting Fails: `Exception in thread "main" java.lang.NullPointerException at com.example.MyClass.methodA(MyClass.java:12) at com.example.MyClass.methodB(MyClass.java:34) at com.example.MyClass.main(MyClass.java:½0)` For the log content above, if SLS fails to split it: Discard: Discard this log segment directly. Retain Single Line: Retain each line of log text as a separate log, resulting in four logs in total.
Processing Method	Processors, which includes Native Processor and Extended Processor. See Usage notes for native and extended processors. Important Processing plugin limits are shown on the console page. Logtail 2.0: Native processor can be combined in any way. Native and extended processors can be used at the same time, but extended processors can only appear after all native processors. Logtail versions earlier than 2.0: Adding both native and extended processors at the same time is not supported. Native processors can only be used to collect text logs. When using native processors, the following requirements must be met: The first processing plugin must be a regular expression parsing plugin, separator mode parsing plugin, JSON parsing plugin, Data Parsing (NGINX Mode) plugin, Apache pattern parsing plugin, or IIS pattern parsing plugin. From the second to the last processing plugin, you can include at most one time parsing plugin, one Data Filtering plugin, and multiple masking plugins. For the Retain Original Field if Parsing Fails and Retain Original Field if Parsing Succeeds parameters, only the following combinations are valid. Other combinations are invalid. Upload only successfully parsed logs: Upload parsed logs on success, and upload raw logs on failure: On successful parsing, upload the parsed log and also append the raw log field. On failure, upload the raw log. For example, if the raw log `"content": "{"request_method":"GET", "request_time":"200"}"` is parsed successfully, appending the raw field adds another field to the parsed log. The field name is New Name of Original Field (if not filled, it defaults to the source field name), and the field value is the raw log `{"request_method":"GET", "request_time":"200"}`.

Select a collection mode

Usage notes

Collection configuration workflow

Preparations

Create a project

Create a logstore

Step 1: Configure a machine group (Install LoongCollector)

Step 2: Create and configure log collection rules

1. Global and input configurations

2. Log processing and structuring

Use case 1: Process multiline logs (such as Java stack logs)

Use case 2: Structured logs

3. Log filtering

Reduce costs with content filtering

Control collection scope with a blacklist

4. Log categorization

5. Output configuration

Dynamic distribution to multiple targets

Step 3: Query and analysis configuration

Step 4: Verification and troubleshooting

Verification checklist

Troubleshooting common issues

Machine group heartbeat is FAIL

No data is collected

Log collection errors or format errors

Limitations

Billing

FAQ

How do I manage multi-target distribution configurations?

How do I send logs from an ECS server to a project in another Alibaba Cloud account?

How do I send logs from an ECS server to a project in the same account but a different region?

How do I add a server to an existing machine group?

How do I import a collection configuration from another project?

How do I get a server's IP address to use as a machine group ID?

How can the same log file be collected by multiple collection configurations at the same time?

Why is the last log entry reported after a long delay? Why is it sometimes truncated?

Why does LoongCollector (Logtail) switch from an internal endpoint to the Internet during operation? Can it switch back automatically?

Appendix: Details of native processors

Regular expression parsing

Separator parsing

Standard JSON parsing

Nested JSON parsing

JSON array parsing

Apache log parsing

IIS log parsing

Data masking

Time parsing

Appendix: Permission policy reference

Custom permission policies (fine-grained control)

System permission policies

More information

Global Configurations

Input Configurations

File Path Blacklist

File Blacklist

Directory Blacklist

Processor Configurations