Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring Fluent Bit for Yandex Cloud Logging

Written by
Improved by
Updated at May 5, 2025

Note

You can enable sending logs from the Managed Service for Kubernetes master host to Cloud Logging by specifying the master logging setting when creating or updating your cluster. The setting is only available in the API, CLI, and Terraform. To learn more, see Sending Managed Service for Kubernetes cluster logs to Cloud Logging.

The Fluent Bit log processor allows you to transfer pod and service logs and system logs of Managed Service for Kubernetes nodes to Cloud Logging. To transfer logs, you will use the Fluent Bit plugin for Yandex Cloud Logging module.

To configure transfer of Yandex Managed Service for Kubernetes pod, service logs and node system logs to Yandex Cloud Logging:

  1. Install and configure Fluent Bit.
  2. Check the result.

If you no longer need the resources you created, delete them.

The support cost includes:

Getting started

Set up your infrastructure:

  1. If you do not have a network yet, create one.

  2. If you do not have any subnets yet, create them in the availability zones where your Managed Service for Kubernetes cluster and node group will be created.

  3. Create service accounts for Managed Service for Kubernetes:

    • Service account for the Managed Service for Kubernetes resources with the k8s.clusters.agent and vpc.publicAdmin roles for the folder where the Managed Service for Kubernetes cluster is being created.
    • Service account for Managed Service for Kubernetes nodes with the container-registry.images.puller role for the folder containing the Docker image registry. Managed Service for Kubernetes nodes will pull the required Docker images from the registry on behalf of this account.

    Tip

    You can use the same service account for both operations.

  4. Create a service account for Cloud Logging with the logging.writer and monitoring.editor roles. It will be used to run Fluent Bit.

  5. Create an authorized key for the Cloud Logging service account and save it to the key.json file.

  6. Create security groups for the Managed Service for Kubernetes cluster and its node groups.

    Warning

    The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  7. Create a Managed Service for Kubernetes cluster and a node group. When creating a Managed Service for Kubernetes cluster, specify the previously created service accounts for resources and nodes and the security group.

  8. Create a log group.

  1. If you do not have Terraform yet, install it.

  2. Download the file with provider settings. Place it in a separate working directory and specify the parameter values.

  3. Download the k8s-cluster-with-log-group.tf configuration file of the Managed Service for Kubernetes cluster to the same working directory.

    This file describes:

    • Network.

    • Subnet.

    • Cloud Logging log group.

    • Managed Service for Kubernetes cluster.

    • Managed Service for Kubernetes node group.

    • Service account for Managed Service for Kubernetes resources and nodes.

    • Service account for Cloud Logging.

    • Security groups which contain rules required for the Managed Service for Kubernetes cluster and its node groups.

      Warning

      The configuration of security groups determines the performance and availability of the cluster and the services and applications running in it.

  4. Specify the following in the configuration file:

    • Folder ID.
    • Kubernetes version for the Managed Service for Kubernetes cluster and node groups.
    • Name of the service account for Managed Service for Kubernetes resources and nodes.
    • Name of the service account for Cloud Logging.
    • Cloud Logging log group name.

  5. Run the terraform init command in the directory with the configuration files. This command initializes the provider specified in the configuration files and enables you to use the provider resources and data sources.

  6. Check that the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  7. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Install and configure Fluent Bit

Select the Fluent Bit installation option depending on what logs you want to collect and send to Cloud Logging:

Installing Fluent Bit to collect pod and service logs

Install Fluent Bit by following this guide. In the application settings, specify the ID of the log group you created earlier. You can request the log group ID with the list of log groups in the folder.

  1. Install kubect and configure it to work with the new cluster.

  2. Create the objects required for Fluent Bit to run:

    kubectl create namespace logging && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml

  3. Create a secret containing the key of the service account for Cloud Logging you created earlier:

    kubectl create secret generic secret-key-json \
  --from-file=key.json \
  --namespace logging

  4. Download the config.yaml configuration file:

    wget https://raw.githubusercontent.com/knpsh/yc-logging-fluent-bit-example/main/config.yaml

  5. Specify the ID of the log group created earlier and (optionally) the cluster ID in the [OUTPUT] section of the config.yaml file:

    ...
output-elasticsearch.conf: |
  [OUTPUT]
    Name            yc-logging
    Match           *
    group_id        <log_group_ID>
    resource_id     <optional_cluster_ID>
    message_key     log
    authorization   iam-key-file:/etc/secret/key.json
...

    You can get the log group ID with the list of log groups in the folder, and the cluster ID with the list of clusters in the folder.

    Specify additional settings for Fluent Bit, if required.

  6. Create Fluent Bit objects:

    kubectl apply -f config.yaml

    Result:

    configmap/fluent-bit-config created
daemonset.apps/fluent-bit created

  7. Make sure the Fluent Bit pod has entered the Running state:

    kubectl get pods -n logging

Installing Fluent Bit to collect pod, service logs and node system logs

  1. Install kubect and configure it to work with the new cluster.

  2. Install Helm v3.8.0 or higher.

  3. Download the Fluent Bit configuration file named systemd.yaml.

  4. To install a Helm chart with Fluent Bit, run this command:

    cat key.json | helm registry login cr.yandex --username 'json_key' --password-stdin && \
helm pull oci://cr.yandex/yc-marketplace/yandex-cloud/fluent-bit/fluent-bit \
  --version 2.1.7-3 \
  --untar && \
helm install -f <systemd.yaml_file_path>\
  --namespace <namespace> \
  --create-namespace \
  --set loggingGroupId=<log_group_ID> \
  --set loggingFilter=<cluster_ID> \
  --set-file auth.json=key.json \
  fluentbit ./fluent-bit/

    For the current version of the Helm chart, see this Yandex Cloud Marketplace page.

    This command will create a new namespace required for Fluent Bit.

    Note

    If you are using a Helm version below 3.8.0, append the export HELM_EXPERIMENTAL_OCI=1 && \ string to the command to enable Open Container Initiative (OCI) support in the Helm client.

  1. Install kubect and configure it to work with the new cluster.

  2. Create the objects required for Fluent Bit to run:

    kubectl create namespace logging && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-service-account.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-1.22.yaml && \
kubectl create -f https://raw.githubusercontent.com/fluent/fluent-bit-kubernetes-logging/master/fluent-bit-role-binding-1.22.yaml

  3. Create a secret containing the key of the service account for Cloud Logging you created earlier:

    kubectl create secret generic secret-key-json \
  --from-file=key.json \
  --namespace logging

  4. Download the Fluent Bit configuration file named config.yaml.

  5. Specify the ID of the previously created log group in the [OUTPUT] sections of the config.yaml file:

    ...
output-elasticsearch.conf: |
  [OUTPUT]
    Name            yc-logging
    Match           kube.*
    group_id        <log_group_ID>
    resource_type   {kubernetes/namespace_name}
    resource_id     {kubernetes/pod_name}
    stream_name     {kubernetes/host}
    message_key     log
    level_key       severity
    default_level   INFO
    authorization   iam-key-file:/etc/secret/key.json

  [OUTPUT]
    Name            yc-logging
    Match           host.*
    group_id        <log_group_ID>
    resource_type   systemd
    resource_id     {_SYSTEMD_UNIT}
    stream_name     {_HOSTNAME}
    message_key     MESSAGE
    level_key       SEVERITY
    default_level   INFO
    authorization   iam-key-file:/etc/secret/key.json
...

    You can request the log group ID with the list of log groups in the folder.

    Specify additional settings for Fluent Bit, if required.

  6. Create Fluent Bit objects:

    kubectl apply -f config.yaml

    Result:

    configmap/fluent-bit-config created
daemonset.apps/fluent-bit created

  7. Make sure the Fluent Bit pod has entered the Running state:

    kubectl get pods -n logging

Check the result

Test the transfer of logs of Managed Service for Kubernetes pods and services to your Cloud Logging log group.

Delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the Managed Service for Kubernetes cluster.
  2. If you reserved a static public IP address for your Managed Service for Kubernetes cluster, release and delete it.
  3. Delete the created subnets and networks.
  4. Delete service accounts you created.
  5. Delete the log group.

  1. In the command line, go to the directory with the current Terraform configuration file with an infrastructure plan.

  2. Delete the k8s-cluster-with-log-group.tf configuration file.

  3. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the resources described in the k8s-cluster-with-log-group.tf configuration file will be deleted.

Previous
Syncing with Yandex Lockbox secrets
Next
Setting up Gateway API