Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring Fluent Bit for Yandex Cloud Logging

Written by
Improved by
Updated at March 28, 2025

Note

You can enable sending logs from the Managed Service for Kubernetes master host to Cloud Logging by specifying the master logging setting when creating or updating your cluster. The setting is only available in the API, CLI, and Terraform. To learn more, see Sending Managed Service for Kubernetes cluster logs to Cloud Logging.

The Fluent Bit log processor allows you to transfer pod and service logs and system logs of Managed Service for Kubernetes nodes to Cloud Logging. To transfer logs, you will use the Fluent Bit plugin for Yandex Cloud Logging module.

Transferring Yandex Managed Service for Kubernetes cluster logs to Yandex Cloud Logging

You can send Managed Service for Kubernetes cluster logs to Cloud Logging:

Sending master logs to Managed Service for Kubernetes in Cloud Logging using master logging

To set up the transfer of Managed Service for Kubernetes master logs to Cloud Logging:

  1. Enable the master logging setting.
  2. Check the result.

If you no longer need the resources you created, delete them.

Getting started

Prepare the infrastructure:

  1. If you do not have a network yet, create one.

  2. If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.

  3. Create service accounts:

    • Service account for Managed Service for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.

    • Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.

      Tip

      You can use the same service account for both operations.

  4. Assign the logging.writer role to the service account for resources. This role is required by the Managed Service for Kubernetes cluster to send logs to Cloud Logging.

  5. Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for the resources and nodes.

  6. Configure security groups for the Managed Service for Kubernetes cluster.

  7. Create a log group.

  1. If you do not have Terraform yet, install it.

  2. Download the file with provider settings. Place it in a separate working directory and specify the parameter values.

  3. Download the k8s-cluster-with-master-logging.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory.

    This file describes:

    • Network.
    • Subnet.
    • Security groups and rules required for a Managed Service for Kubernetes cluster and node group:
      • Rules for service traffic.
      • Rules for accessing the Kubernetes API and managing a Managed Service for Kubernetes cluster using kubectl through ports 443 and 6443.
      • Rules for accessing services from the internet.
    • Service account for resources and Managed Service for Kubernetes nodes and sending cluster logs to Cloud Logging.
    • Managed Service for Kubernetes cluster.
    • Managed Service for Kubernetes node group.
    • Cloud Logging log group.

  4. Specify the following in the configuration file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for resources and Managed Service for Kubernetes nodes and for sending cluster logs to Cloud Logging.
    • Cloud Logging log group name.

  5. Run the terraform init command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

  6. Check that the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  7. Create the required infrastructure:

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Enable the master logging setting

If you created the infrastructure manually, enable the master logging setting:

  1. If you do not have the Yandex Cloud CLI yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

  2. Run this command:

    yc managed-kubernetes cluster update <cluster_name> \
  --master-logging enabled=true,`
    `log-group-id=<log_group_ID>,`
    `kube-apiserver-enabled=<send_kube-apiserver_logs:_true_or_false>,`
    `cluster-autoscaler-enabled=<send_cluster-autoscaler_logs:_true_or_false>,`
    `events-enabled=<send_Kubernetes_events:_true_or_false>`
    `audit-enabled=<send_audit_events:_true_or_false>

    Where:

    • enabled: Flag that enables sending logs.
    • log-group-id: ID of the previously created log group to send the logs to.
    • kube-apiserver-enabled: Flag that enables sending kube-apiserver logs.
    • cluster-autoscaler-enabled: Flag that enables sending cluster-autoscaler logs.
    • events-enabled: Flag that enables sending Kubernetes events.
    • audit-enabled: Flag that enables sending audit events.

Check the result

Check the transfer of Managed Service for Kubernetes master logs to the Cloud Logging log group.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Sending pod logs and service logs via Fluent Bit

To configure transfer of Yandex Managed Service for Kubernetes pod, service logs and node system logs to Yandex Cloud Logging:

  1. Install and configure Fluent Bit.
  2. Check the result.

If you no longer need the resources you created, delete them.

Getting started

Set up your infrastructure:

  1. If you do not have a network yet, create one.

  2. If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.

  3. Create service accounts for Managed Service for Kubernetes:

    • Service account for Managed Service for Kubernetes resources with the editor role for the folder where the Managed Service for Kubernetes cluster is created.
    • Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.

    Tip

    You can use the same service account for both operations.

  4. Create a service account for Cloud Logging with the logging.writer and monitoring.editor roles. It will be used to run Fluent Bit.

  5. Create an authorized key for the Cloud Logging service account and save it to the key.json file.

  6. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  7. Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for resources and nodes and the security group.

  8. Create a log group.

  1. If you do not have Terraform yet, install it.

  2. Download the file with provider settings. Place it in a separate working directory and specify the parameter values.

  3. Download the k8s-cluster-with-log-group.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Cloud Logging log group.

    • Managed Service for Kubernetes cluster.

    • Managed Service for Kubernetes node group.

    • Service account for Managed Service for Kubernetes resources and nodes.

    • Service account for Cloud Logging.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Specify the following in the configuration file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for Managed Service for Kubernetes resources and nodes.
    • Name of the service account for Cloud Logging.
    • Cloud Logging log group name.

  5. Run the terraform init command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

  6. Check that the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  7. Create the required infrastructure:

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Install and configure Fluent Bit

Select the Fluent Bit installation option depending on what logs you want to collect and send to Cloud Logging:

Installing Fluent Bit to collect pod and service logs

Install Fluent Bit by following this guide. In the application settings, specify the ID of the log group you created earlier. You can request the log group ID with the list of log groups in the folder.

  1. Install kubectl and configure it to work with the created cluster.

  2. Create the objects required for Fluent Bit to run:

    kubectl create namespace logging && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml

  3. Create a secret containing the key of the service account for Cloud Logging you created earlier:

    kubectl create secret generic secret-key-json \
  --from-file=key.json \
  --namespace logging

  4. Download the config.yaml configuration file:

    wget https://raw.githubusercontent.com/knpsh/yc-logging-fluent-bit-example/main/config.yaml

  5. Specify the ID of the log group created earlier and (optionally) the cluster ID in the [OUTPUT] section of the config.yaml file:

    ...
output-elasticsearch.conf: |
  [OUTPUT]
    Name            yc-logging
    Match           *
    group_id        <log_group_ID>
    resource_id     <optional_cluster_ID>
    message_key     log
    authorization   iam-key-file:/etc/secret/key.json
...

    You can get the log group ID with the list of log groups in the folder, and the cluster ID with the list of clusters in the folder.

    Specify additional settings for Fluent Bit, if required.

  6. Create Fluent Bit objects:

    kubectl apply -f config.yaml

    Result:

    configmap/fluent-bit-config created
daemonset.apps/fluent-bit created

  7. Make sure the Fluent Bit pod has entered the Running state:

    kubectl get pods -n logging

Installing Fluent Bit to collect pod, service logs and node system logs

  1. Install kubectl and configure it to work with the created cluster.

  2. Install Helm v3.8.0 or higher.

  3. Download the Fluent Bit configuration file named systemd.yaml.

  4. To install a Helm chart with Fluent Bit, run this command:

    cat key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \
helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/fluent-bit/fluent-bit \
  --version 2.1.7-3 \
  --untar && \
helm install -f <systemd.yaml_file_path>\
  --namespace <namespace> \
  --create-namespace \
  --set loggingGroupId=<log_group_ID> \
  --set loggingFilter=<cluster_ID> \
  --set-file auth.json=key.json \
  fluentbit ./fluent-bit/

    For the current version of the Helm chart, see this Yandex Cloud Marketplace page.

    This command will create a new namespace required for Fluent Bit.

    Note

    If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

  1. Install kubectl and configure it to work with the created cluster.

  2. Create the objects required for Fluent Bit to run:

    kubectl create namespace logging && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml

  3. Create a secret containing the key of the service account for Cloud Logging you created earlier:

    kubectl create secret generic secret-key-json \
  --from-file=key.json \
  --namespace logging

  4. Download the Fluent Bit configuration file named config.yaml.

  5. Specify the ID of the previously created log group in the [OUTPUT] sections of the config.yaml file:

    ...
output-elasticsearch.conf: |
  [OUTPUT]
    Name            yc-logging
    Match           kube.*
    group_id        <log_group_ID>
    resource_type   {kubernetes/namespace_name}
    resource_id     {kubernetes/pod_name}
    stream_name     {kubernetes/host}
    message_key     log
    level_key       severity
    default_level   INFO
    authorization   iam-key-file:/etc/secret/key.json

  [OUTPUT]
    Name            yc-logging
    Match           host.*
    group_id        <log_group_ID>
    resource_type   systemd
    resource_id     {_SYSTEMD_UNIT}
    stream_name     {_HOSTNAME}
    message_key     MESSAGE
    level_key       SEVERITY
    default_level   INFO
    authorization   iam-key-file:/etc/secret/key.json
...

    You can request the log group ID with the list of log groups in the folder.

    Specify additional settings for Fluent Bit, if required.

  6. Create Fluent Bit objects:

    kubectl apply -f config.yaml

    Result:

    configmap/fluent-bit-config created
daemonset.apps/fluent-bit created

  7. Make sure the Fluent Bit pod has entered the Running state:

    kubectl get pods -n logging

Check the result

Test the transfer of logs of Managed Service for Kubernetes pods and services to your Cloud Logging log group.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the Managed Service for Kubernetes cluster.
  2. If you reserved a static public IP address for your Managed Service for Kubernetes cluster, release and delete it.
  3. Delete the created subnets and networks.
  4. Delete service accounts you created.
  5. Delete the log group.

  1. In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.

  2. Delete the k8s-cluster-with-log-group.tf configuration file.

  3. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  4. Confirm updating the resources.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

    All the resources described in the k8s-cluster-with-log-group.tf configuration file will be deleted.

Previous
Syncing with Yandex Lockbox secrets
Next
Setting up Gateway API