Visualizing logs in Grafana using the Yandex Cloud Logging plugin
The Yandex Cloud Logging plugin for Grafana
To visualize logs:
- Install the plugin.
- Create a service account.
- Create an authorized key for the service account.
- Create a log group.
- Add records to a log group.
- Connect a data source in Grafana.
- View the logs in Grafana.
If you no longer need the resources you created, delete them.
Prepare your cloud
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The cost of resources includes a fee for logging operations and log storage in a log group (see Yandex Cloud Logging pricing).
Install the plugin
-
Download
the archive with the latest plugin version. -
Unpack the archive to the directory with plugins. The path to the directory with plugins is specified in the Grafana configuration
.unzip <path_to_archive> -d <path_to_plugin_directory>
Note
If using macOS, after you unpack the plugin archive manually run the
/opt/homebrew/var/lib/grafana/plugins/yandexcloud-logging-datasource/yc-logs-plugin_darwin_arm64
file and allow launching third party applications in the system settings. -
Allow loading an unsigned plugin. To do this, specify the plugin name in the
allow_loading_unsigned_plugins
parameter of the Grafana configuration file:allow_loading_unsigned_plugins = yandexcloud-logging-datasource
For more information about loading unsigned plugins, see the Grafana documentation
. -
Restart the Grafana server:
LinuxWindowsmacOSsudo systemctl restart grafana-server
- Click Win+R.
- In the window that opens, enter
services.msc
and click OK. - Right-click the line with
Grafana
and select Restart.
brew services restart grafana
Create a service account
- In the management console
, select the folder where you want to create a service account. - In the list of services, select Identity and Access Management.
- Click Create service account.
- Enter a name for the service account:
grafana-plugin
. - Click Add role and select the
logging.reader
role. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a service account named
grafana-plugin
:yc iam service-account create --name grafana-plugin
Result:
id: nfersamh4s********** folder_id: b1gc1t4cb6********** created_at: "2023-09-26T10:36:29.726397755Z" name: grafana-plugin
Save the ID of the
grafana-plugin
service account (id
) and the ID of the folder where it was created (folder_id
). -
Assign the service account the
logging.reader
role for the folder:yc resource-manager folder add-access-binding <folder_ID> \ --role logging.reader \ --subject serviceAccount:<service_account_ID>
Result:
done (1s)
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the service account parameters:
resource "yandex_iam_service_account" "grafana-plugin" { name = "grafana-plugin" folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "reader" { folder_id = "<folder_ID>" role = "logging.reader" member = "serviceAccount:${yandex_iam_service_account.grafana-plugin id}" }
Where:
name
: Service account name. This is a required parameter.folder_id
: Folder ID. This is an optional parameter. By default, the value specified in the provider settings is used.role
: Role you want to assign.
For more information about the
yandex_iam_service_account
resource parameters in Terraform, see the relevant provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is specified correctly, the terminal will display information about the service account. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the service account: type
yes
in the terminal and press Enter.The service account will then be created. You can check the new service account using the management console
or this CLI command:yc iam service-account list
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
To assign the logging.reader
role for the folder to the service account, use the setAccessBindings method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.
Create an authorized key for a service account
- In the management console
, select the folder the service account belongs to. - In the list of services, select Identity and Access Management.
- In the left-hand panel, select
Service accounts. - In the list that opens, select the
grafana-plugin
service account. - Click Create new key in the top panel.
- Select Create authorized key.
- Select the encryption algorithm.
- Enter a description of the key so that you can easily find it in the management console.
- Click Create.
- In the window that opens, click Download file with keys.
- Click Close.
Create authorized keys for the grafana-plugin
service account:
yc iam key create --service-account-name grafana-plugin -o authorized_key.json
If successful, a private key (privateKey
) and a public key ID (id
) will be written to the authorized_key.json
file.
Key file example:
{
"id": "lfkoe35hsk**********",
"service_account_id": "ajepg0mjt0**********",
"created_at": "2023-10-10T10:04:56Z",
"key_algorithm": "RSA_2048",
"public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}
-
In the configuration file, describe the parameters of the resources you want to create:
service_account_id
: Service account ID. This is a required parameter.description
: Key description. This is an optional parameter.key_algorithm
: Key generation algorithm. This is an optional parameter. The default algorithm isRSA_2048
. For more information about the acceptable parameter values, see the API documentation.
Here is an example of the configuration file structure:
resource "yandex_iam_service_account_key" "sa-auth-key" { service_account_id = "<service_account_ID>" description = "<key_description>" key_algorithm = "<key_generation_algorithm>" }
For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
and this CLI command:yc iam key list --service-account-id <service_account_ID>
-
To create an access key, use the create REST API method for the Key resource or the KeyService/Create gRPC API call.
Example of request using cURL for the create
REST API method:
curl --request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{"serviceAccountId": "<service_account_ID>"}' \
https://iam.api.cloud.yandex.net/iam/v1/keys
Where:
<IAM_token>
: IAM token of the user with permissions to create keys for the specified service account.<service_account_id>
: ID of the service account for which the keys are created.
If successful, the server response will contain the private key (privateKey
) and public key ID (id
). Save this data. You will not be able to get the key value again.
Sample server response:
{
"key": {
"createdAt": "2023-10-10T10:55:00+00:00",
"description": "",
"id": "lfkoe35hsk**********",
"keyAlgorithm": "RSA_2048",
"publicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"serviceAccountId": "ajepg0mjt0**********"
},
"privateKey": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
}
Create a log group
- In the management console
, select the folder where you created thegrafana-plugin
service account. - Select Cloud Logging.
- Click Create group.
- Enter
grafana-plugin
as the log group name. - Set the log group record retention period.
- Click Create group.
To create a log group, run this command:
yc logging group create \
--name=grafana-plugin \
--retention-period=<retention_period> \
Where:
--name
: Log group name.--retention-period
: Log group record retention period.
Result:
done (1s)
id: af3flf29t8**********
folder_id: aoek6qrs8t**********
cloud_id: aoegtvhtp8**********
created_at: "2023-09-26T09:56:38.970Z"
name: grafana-plugin
status: ACTIVE
retention_period: 3600s
-
In the configuration file, describe the log group parameters:
provider "yandex" { token = "<OAuth_token>" cloud_id = "<cloud_ID>" folder_id = "<folder_ID>" zone = "ru-central1-a" } resource "yandex_logging_group" "grafana-plugin" { name = "grafana-plugin" folder_id = "<folder_ID>" retention_period = "1h" }
Where:
name
: Log group name.folder_id
: Folder ID.retention_period
: Log group record retention period.
For more information about the
yandex_logging_group
resource parameters in Terraform, see the relevant provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.All the resources you need will then be created in the specified folder. You can check the new resources and their settings using the management console
or this CLI command:yc logging group list
To create a log group, use the create REST API method for the LogGroup resource or the LogGroupService/Create gRPC API call.
Add records to the log group
To add records to a log group, run this command:
-
Linux, macOS:
yc logging write \ --group-name=grafana-plugin \ --message="My message" \ --level=INFO
-
Windows (cmd):
yc logging write ^ --group-name=grafana-plugin ^ --message="My message" ^ --level=INFO
-
Windows (PowerShell):
yc logging write ` --group-name=grafana-plugin ` --message="My message" ` --level=INFO
Where:
--group-name
: Name of the log group to add records to.--message
: Message.--level
: Logging level.
Note
You can skip the --group-name
and --message
flags and specify only the parameter values, e.g., grafana-plugin "My message"
.
To add records to the log group, use the LogIngestionService/Write gRPC API call.
Connect a data source in Grafana
-
In the browser, go to
http://localhost:3000/
.Note
By default, Grafana uses port 3000, unless you specified a different one
in the configuration file. -
In the left-hand panel, select Connections → Add new connection.
-
In the list of sources, select Yandex Cloud Logging.
-
Click Add new data source.
-
Under Secret config, in the API Key field, paste the contents of the authorized_key.json file with the
authorized keys
. -
Under SDK config, in the Folder ID field, specify the ID of the folder with the
grafana-plugin
log group. -
Click Save & test.
View the logs in Grafana
-
In the Grafana interface, select Explore in the left-hand panel.
-
In the top-left corner, select the Yandex Cloud Logging data source from the drop-down list.
-
In the query editor for the data source:
-
Select the ID of the
grafana-plugin
log group in the Group field. -
Enter your query written in the filter expression language in the Filter query field.
-
In the top-right corner, click Run query.
You will see a histogram with log group records in the Logs volume section.
-
How to delete the resources you created
To stop paying for the resources you created, delete the log group.