Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Visualizing logs in Grafana using the Cloud Logging plugin

Written by
Updated at October 29, 2025

The Yandex Cloud Logging plugin for Grafana is an extension for Grafana that allows you to add Cloud Logging as a data source.

Note

The Cloud Logging plugin works with Grafana versions 11.2.0 or earlier. Menu titles and UI elements may vary depending on the version.

To visualize logs:

  1. Install the plugin.
  2. Create a service account.
  3. Create an authorized key for the service account.
  4. Create a log group.
  5. Add records to the log group.
  6. Connect a data source in Grafana.
  7. View the logs in Grafana.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The cost of resources includes a fee for logging operations and log storage in a log group (see Yandex Cloud Logging pricing).

Install the plugin

  1. Download the archive with the latest plugin version.

  2. Unpack the archive to the directory with plugins. The path to the directory with plugins is specified in the Grafana configuration.

    unzip <path_to_archive> -d <path_to_plugin_directory>

    Note

    In macOS, after you unpack the plugin archive manually run the /opt/homebrew/var/lib/grafana/plugins/yandexcloud-logging-datasource/yc-logs-plugin_darwin_arm64 file and allow launching third-party applications in the system settings.

  3. Allow loading an unsigned plugin. To do this, specify the plugin name in the allow_loading_unsigned_plugins parameter of the Grafana configuration file:

    allow_loading_unsigned_plugins = yandexcloud-logging-datasource

    For more information about loading unsigned plugins, see the Grafana documentation.

  4. Restart the Grafana server:

    sudo systemctl restart grafana-server
    1. Click Win+R.
    2. In the window that opens, enter services.msc and click OK.
    3. Right-click the line with Grafana and select Restart.
    brew services restart grafana

Create a service account

  1. In the management console, select the folder where you want to create a service account.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name for the service account: grafana-plugin.
  5. Click Add role and select the logging.reader role.
  6. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account named grafana-plugin:

    yc iam service-account create --name grafana-plugin

    Result:

    id: nfersamh4s**********
folder_id: b1gc1t4cb6**********
created_at: "2023-09-26T10:36:29.726397755Z"
name: grafana-plugin

    Save the ID of the grafana-plugin service account (id) and the ID of the folder where you created it (folder_id).

  2. Assign the logging.reader role for the folder to the service account:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role logging.reader \
  --subject serviceAccount:<service_account_ID>

    Result:

    done (1s)

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. In the configuration file, describe the service account parameters:

    resource "yandex_iam_service_account" "grafana-plugin" {
  name        = "grafana-plugin"
  folder_id   = "<folder_ID>"
}

resource "yandex_resourcemanager_folder_iam_member" "reader" {
  folder_id = "<folder_ID>"
  role      = "logging.reader"
  member    = "serviceAccount:${yandex_iam_service_account.grafana-plugin id}"
}

    Where:

    • name: Service account name. This is a required setting.
    • folder_id: Folder ID. This is an optional setting. It defaults to the value specified in the provider settings.
    • role: Role being assigned.

    For more information about yandex_iam_service_account properties, see this Terraform article.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If you described the configuration correctly, the terminal will display information about the service account. If the configuration contains any errors, Terraform will show them.

  3. Deploy the cloud resources.

  4. If the configuration does not contain any errors, run this command:

    terraform apply

  5. Confirm creating the service account by typing yes in the terminal and pressing Enter.

    This will create the service account. You can check it using the management console or this CLI command:

    yc iam service-account list

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

To assign the logging.reader role for a folder to a service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create an authorized key for a service account

  1. In the management console, select the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. In the list that opens, select the grafana-plugin service account.
  5. Click Create new key in the top panel.
  6. Select Create authorized key.
  7. Select the encryption algorithm.
  8. Enter a description of the key so that you can easily find it in the management console.
  9. Click Create.
  10. In the window that opens, click Download file with keys.
  11. Click Close.

Create authorized keys for the grafana-plugin service account:

yc iam key create --service-account-name grafana-plugin -o authorized_key.json

If successful, a private key (privateKey) and a public key ID (id) will be written to the authorized_key.json file.

Key file example:

{
   "id": "lfkoe35hsk**********",
   "service_account_id": "ajepg0mjt0**********",
   "created_at": "2023-10-10T10:04:56Z",
   "key_algorithm": "RSA_2048",
   "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
   "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

  1. In the configuration file, describe the resources you want to create:

    • service_account_id: Service account ID. This is a required parameter.
    • description: Key description. This is an optional parameter.
    • key_algorithm: Key generation algorithm. This is an optional parameter. The default algorithm is RSA_2048. For more information about the acceptable parameter values, see the API documentation.

    Here is an example of the configuration file structure:

    resource "yandex_iam_service_account_key" "sa-auth-key" {
  service_account_id = "<service_account_ID>"
  description        = "<key_description>"
  key_algorithm      = "<key_generation_algorithm>"
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

      This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console and this CLI command:

      yc iam key list --service-account-id <service_account_ID>

To create an access key, use the create REST API method for the Key resource or the KeyService/Create gRPC API call.

Example of a request using cURL for the create REST API method:

curl --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{"serviceAccountId": "<service_account_ID>"}' \
  https://iam.api.cloud.yandex.net/iam/v1/keys

Where:

  • <IAM_token>: IAM token of the user with permissions to create keys for the specified service account.
  • <service_account_id>: ID of the service account for which the keys are being created.

If successful, the server response will contain the private key (privateKey) and public key ID (id). Save this data. You will not be able to get the secret key again.

Example of a server response:

{
    "key": {
        "createdAt": "2023-10-10T10:55:00+00:00",
        "description": "",
        "id": "lfkoe35hsk**********",
        "keyAlgorithm": "RSA_2048",
        "publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
        "serviceAccountId": "ajepg0mjt0**********"
    },
    "privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}

Create a log group

  1. In the management console, go to the folder where you created the grafana-plugin service account.
  2. Select Cloud Logging.
  3. Click Create group.
  4. Enter grafana-plugin as the log group name.
  5. Set the log group record retention period.
  6. Click Create group.

To create a log group, run this command:

yc logging group create \
  --name=grafana-plugin \
  --retention-period=<retention_period> \

Where:

  • --name: Log group name.
  • --retention-period: Retention period for log group records.

Result:

done (1s)
id: af3flf29t8**********
folder_id: aoek6qrs8t**********
cloud_id: aoegtvhtp8**********
created_at: "2023-09-26T09:56:38.970Z"
name: grafana-plugin
status: ACTIVE
retention_period: 3600s

  1. In the configuration file, describe the log group parameters:

    provider "yandex" {
  token     = "<OAuth_token>"
  cloud_id  = "<cloud_ID>"
  folder_id = "<folder_ID>"
  zone      = "ru-central1-a"
}

resource "yandex_logging_group" "grafana-plugin" {
  name             = "grafana-plugin"
  folder_id        = "<folder_ID>"
  retention_period = "1h"
}

    Where:

    • name: Log group name.
    • folder_id: Folder ID.
    • retention_period: Retention period for log group records.

    For more information about yandex_logging_group properties, see this Terraform article.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

  4. If the configuration does not contain any errors, run this command:

    terraform apply

  5. Confirm creating the resources: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resources and their settings using the management console or this CLI command:

    yc logging group list

To create a log group, use the create REST API method for the LogGroup resource or the LogGroupService/Create gRPC API call.

Add records to the log group

To add records to a log group, run this command:

  • Linux, macOS:

    yc logging write \
  --group-name=grafana-plugin \
  --message="My message" \
  --level=INFO

  • Windows (cmd):

    yc logging write ^
  --group-name=grafana-plugin ^
  --message="My message" ^
  --level=INFO

  • Windows (PowerShell):

    yc logging write `
  --group-name=grafana-plugin `
  --message="My message" `
  --level=INFO

    Where:

    • --group-name: Name of the log group to add records to.
    • --message: Message.
    • --level: Logging level.

Note

You can skip the --group-name and --message parameters and provide only the values, e.g., grafana-plugin "My message".

To add records to the log group, use the LogIngestionService/Write gRPC API call.

Connect a data source in Grafana

  1. In the browser, go to http://localhost:3000/.

    Note

    By default, Grafana uses port 3000, unless you specified a different one in the configuration file.

  2. In the left-hand panel, select ConnectionsAdd new connection.

  3. In the list of sources, select Yandex Cloud Logging.

  4. Click Add new data source.

  5. Under Secret config, in the API Key field, paste the contents of the authorized_key.json file with the authorized keys.

  6. Under SDK config, in the Folder ID field, specify the ID of the folder with the grafana-plugin log group.

  7. Click Save & test.

View the logs in Grafana

  1. In the Grafana interface, select Explore in the left-hand panel.

  2. In the top-left corner, select the Yandex Cloud Logging data source from the drop-down list.

  3. In the query editor for the data source:

    1. Select the ID of the grafana-plugin log group in the Group field.

    2. Enter your query written in the filter expression language in the Filter query field.

    3. In the top-right corner, click Run query.

      You will see a histogram with log group records in the Logs volume section.

How to delete the resources you created

To stop paying for the resources you created, delete the log group.

Previous
Log replication to Object Storage via Data Streams
Next
Interactive debugging of Cloud Functions functions