Contact UsGet started

Visualizing logs in Grafana using the Yandex Cloud Logging plugin

Written by
Updated at May 7, 2025

The Yandex Cloud Logging plugin for Grafana is an extension for Grafana that allows you to add Cloud Logging as a data source.

To visualize logs:

  1. Install the plugin.
  2. Create a service account.
  3. Create an authorized key for the service account.
  4. Create a log group.
  5. Add records to a log group.
  6. Connect a data source in Grafana.
  7. View the logs in Grafana.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of resources includes a fee for logging operations and log storage in a log group (see Yandex Cloud Logging pricing).

Install the plugin

  1. Download the archive with the latest plugin version.

  2. Unpack the archive to the directory with plugins. The path to the directory with plugins is specified in the Grafana configuration.

    unzip <path_to_archive> -d <path_to_plugin_directory>

    Note

    If using macOS, after you unpack the plugin archive manually run the /opt/homebrew/var/lib/grafana/plugins/yandexcloud-logging-datasource/yc-logs-plugin_darwin_arm64 file and allow launching third party applications in the system settings.

  3. Allow loading an unsigned plugin. To do this, specify the plugin name in the allow_loading_unsigned_plugins parameter of the Grafana configuration file:

    allow_loading_unsigned_plugins = yandexcloud-logging-datasource

    For more information about loading unsigned plugins, see the Grafana documentation.

  4. Restart the Grafana server:

    sudo systemctl restart grafana-server
    1. Click Win+R.
    2. In the window that opens, enter services.msc and click OK.
    3. Right-click the line with Grafana and select Restart.
    brew services restart grafana

Create a service account

  1. In the management console, select the folder where you want to create a service account.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name for the service account: grafana-plugin.
  5. Click Add role and select the logging.reader role.
  6. Click Create.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Create a service account named grafana-plugin:

    yc iam service-account create --name grafana-plugin

    Result:

    id: nfersamh4s**********
folder_id: b1gc1t4cb6**********
created_at: "2023-09-26T10:36:29.726397755Z"
name: grafana-plugin

    Save the ID of the grafana-plugin service account (id) and the ID of the folder where it was created (folder_id).

  2. Assign the service account the logging.reader role for the folder:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role logging.reader \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (1s)

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the service account parameters:

    resource "yandex_iam_service_account" "grafana-plugin" {
  name        = "grafana-plugin"
  folder_id   = "<folder_ID>"
}

resource "yandex_resourcemanager_folder_iam_member" "reader" {
  folder_id = "<folder_ID>"
  role      = "logging.reader"
  member    = "serviceAccount:${yandex_iam_service_account.grafana-plugin id}"
}

    Where:

    • name: Service account name. This is a required parameter.
    • folder_id: Folder ID. This is an optional parameter. By default, the value specified in the provider settings is used.
    • role: Role you want to assign.

    For more information about the yandex_iam_service_account resource parameters in Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is specified correctly, the terminal will display information about the service account. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

  4. If the configuration does not contain any errors, run this command:

    terraform apply

  5. Confirm creating the service account: type yes in the terminal and press Enter.

    The service account will then be created. You can check the new service account using the management console or this CLI command:

    yc iam service-account list

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the logging.reader role for the folder to the service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create an authorized key for a service account

  1. In the management console, select the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. In the list that opens, select the grafana-plugin service account.
  5. Click Create new key in the top panel.
  6. Select Create authorized key.
  7. Select the encryption algorithm.
  8. Enter a description of the key so that you can easily find it in the management console.
  9. Click Create.
  10. In the window that opens, click Download file with keys.
  11. Click Close.

Create authorized keys for the grafana-plugin service account:

yc iam key create --service-account-name grafana-plugin -o authorized_key.json

If successful, a private key (privateKey) and a public key ID (id) will be written to the authorized_key.json file.

Key file example:

{
   "id": "lfkoe35hsk**********",
   "service_account_id": "ajepg0mjt0**********",
   "created_at": "2023-10-10T10:04:56Z",
   "key_algorithm": "RSA_2048",
   "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
   "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

  1. In the configuration file, describe the parameters of the resources you want to create:

    • service_account_id: Service account ID. This is a required parameter.
    • description: Key description. This is an optional parameter.
    • key_algorithm: Key generation algorithm. This is an optional parameter. The default algorithm is RSA_2048. For more information about the acceptable parameter values, see the API documentation.

    Here is an example of the configuration file structure:

    resource "yandex_iam_service_account_key" "sa-auth-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  key_algorithm      = "<key_generation_algorithm>"
}

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

      All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console and this CLI command:

      yc iam key list --service-account-id <service_account_ID>

To create an access key, use the create REST API method for the Key resource or the KeyService/Create gRPC API call.

Example of request using cURL for the create REST API method:

curl --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{"serviceAccountId": "<service_account_ID>"}' \
  https://iam.api.cloud.yandex.net/iam/v1/keys

Where:

  • <IAM_token>: IAM token of the user with permissions to create keys for the specified service account.
  • <service_account_id>: ID of the service account for which the keys are created.

If successful, the server response will contain the private key (privateKey) and public key ID (id). Save this data. You will not be able to get the key value again.

Sample server response:

{
    "key": {
        "createdAt": "2023-10-10T10:55:00+00:00",
        "description": "",
        "id": "lfkoe35hsk**********",
        "keyAlgorithm": "RSA_2048",
        "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
        "serviceAccountId": "ajepg0mjt0**********"
    },
    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

Create a log group

  1. In the management console, select the folder where you created the grafana-plugin service account.
  2. Select Cloud Logging.
  3. Click Create group.
  4. Enter grafana-plugin as the log group name.
  5. Set the log group record retention period.
  6. Click Create group.

To create a log group, run this command:

yc logging group create \
  --name=grafana-plugin \
  --retention-period=<retention_period> \

Where:

  • --name: Log group name.
  • --retention-period: Log group record retention period.

Result:

done (1s)
id: af3flf29t8**********
folder_id: aoek6qrs8t**********
cloud_id: aoegtvhtp8**********
created_at: "2023-09-26T09:56:38.970Z"
name: grafana-plugin
status: ACTIVE
retention_period: 3600s

  1. In the configuration file, describe the log group parameters:

    provider "yandex" {
  token     = "<OAuth_token>"
  cloud_id  = "<cloud_ID>"
  folder_id = "<folder_ID>"
  zone      = "ru-central1-a"
}

resource "yandex_logging_group" "grafana-plugin" {
  name             = "grafana-plugin"
  folder_id        = "<folder_ID>"
  retention_period = "1h"
}

    Where:

    • name: Log group name.
    • folder_id: Folder ID.
    • retention_period: Log group record retention period.

    For more information about the yandex_logging_group resource parameters in Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

  4. If the configuration does not contain any errors, run this command:

    terraform apply

  5. Confirm creating the resources: type yes in the terminal and press Enter.

    All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console or this CLI command:

    yc logging group list

To create a log group, use the create REST API method for the LogGroup resource or the LogGroupService/Create gRPC API call.

Add records to the log group

To add records to a log group, run this command:

  • Linux, macOS:

    yc logging write \
  --group-name=grafana-plugin \
  --message="My message" \
  --level=INFO

  • Windows (cmd):

    yc logging write ^
  --group-name=grafana-plugin ^
  --message="My message" ^
  --level=INFO

  • Windows (PowerShell):

    yc logging write `
  --group-name=grafana-plugin `
  --message="My message" `
  --level=INFO

    Where:

    • --group-name: Name of the log group to add records to.
    • --message: Message.
    • --level: Logging level.

Note

You can skip the --group-name and --message flags and specify only the parameter values, e.g., grafana-plugin "My message".

To add records to the log group, use the LogIngestionService/Write gRPC API call.

Connect a data source in Grafana

  1. In the browser, go to http://localhost:3000/.

    Note

    By default, Grafana uses port 3000, unless you specified a different one in the configuration file.

  2. In the left-hand panel, select ConnectionsAdd new connection.

  3. In the list of sources, select Yandex Cloud Logging.

  4. Click Add new data source.

  5. Under Secret config, in the API Key field, paste the contents of the authorized_key.json file with the authorized keys.

  6. Under SDK config, in the Folder ID field, specify the ID of the folder with the grafana-plugin log group.

  7. Click Save & test.

View the logs in Grafana

  1. In the Grafana interface, select Explore in the left-hand panel.

  2. In the top-left corner, select the Yandex Cloud Logging data source from the drop-down list.

  3. In the query editor for the data source:

    1. Select the ID of the grafana-plugin log group in the Group field.

    2. Enter your query written in the filter expression language in the Filter query field.

    3. In the top-right corner, click Run query.

      You will see a histogram with log group records in the Logs volume section.

How to delete the resources you created

To stop paying for the resources you created, delete the log group.

Previous
Automatically copying objects from one Object Storage bucket to another
Next
Canary release of a Cloud Functions function