如何实时查看日志和事件(预览)How to view logs and events in real time (preview)

适用于容器的 Azure Monitor 包含一项功能,该功能目前为预览版,可以实时查看 Azure Kubernetes 服务 (AKS) 容器日志 (stdout/stderr) 和事件,不需运行 kubectl 命令。Azure Monitor for containers includes a feature, which is currently in preview, that provides a live view into your Azure Kubernetes Service (AKS) container logs (stdout/stderr) and events without having to run kubectl commands. 选择任一选项后,“节点”、“控制器”和“容器”视图上的性能数据表下方将显示新窗格 。When you select either option, a new pane appears below the performance data table on the Nodes, Controllers, and Containers view. 它显示了容器引擎生成的实时日志记录和事件,可以进一步实时排查问题。It shows live logging and events generated by the container engine to further assist in troubleshooting issues in real time.

备注

此功能在所有 Azure 区域均可用,包括Azure 中国。This feature is available in all Azure regions, including Azure China.

备注

Azure Kubernetes 服务群集用户角色需要群集资源访问权限才能使用此功能。Azure Kubernetes Service Cluster User Role access to the cluster resource is required for this feature to work. 详细了解 Azure Kubernetes 群集用户角色Learn more about the Azure Kubernetes Cluster User Role.

实时日志支持以三种不同的方式来控制对日志的访问:Live logs support three different methods to control access to the logs:

  1. 没有启用 Kubernetes RBAC 授权的 AKSAKS without Kubernetes RBAC authorization enabled
  2. 启用了 Kubernetes RBAC 授权的 AKSAKS enabled with Kubernetes RBAC authorization
  3. 启用了基于 SAML 的 Azure Active Directory (AD) 单一登录的 AKSAKS enabled with Azure Active Directory (AD) SAML-based single-sign on

未启用 RBAC 的 Kubernetes 群集Kubernetes cluster without RBAC enabled

如果 Kubernetes 群集未配置 Kubernetes RBAC 授权或集成 Azure AD 单一登录,则不需执行这些步骤。If you have a Kubernetes cluster that is not configured with Kubernetes RBAC authorization or integrated with Azure AD single-sign on, you do not need to follow these steps. Kubernetes 授权使用 kube-api,因此需要只读权限。Because Kubernetes authorization uses the kube-api, read-only permissions are required.

Kubernetes RBAC 授权Kubernetes RBAC authorization

如果已启用 Kubernetes RBAC 授权,则需应用群集角色绑定。If you have enabled Kubernetes RBAC authorization, you will need to apply cluster role binding. 以下示例步骤演示如何从此 yaml 配置模板配置群集角色绑定。The following example steps demonstrate how to configure cluster role binding from this yaml configuration template.

  1. 复制并粘贴 yaml 文件,然后将其另存为 LogReaderRBAC.yaml。Copy and paste the yaml file and save it as LogReaderRBAC.yaml.

    apiVersion: rbac.authorization.k8s.io/v1 
    kind: ClusterRole 
    metadata: 
       name: containerHealth-log-reader 
    rules: 
       - apiGroups: [""] 
         resources: ["pods/log", "events"] 
         verbs: ["get", "list"]  
    --- 
    apiVersion: rbac.authorization.k8s.io/v1 
    kind: ClusterRoleBinding 
    metadata: 
       name: containerHealth-read-logs-global 
    roleRef: 
        kind: ClusterRole 
        name: containerHealth-log-reader 
        apiGroup: rbac.authorization.k8s.io 
    subjects: 
       - kind: User 
         name: clusterUser 
         apiGroup: rbac.authorization.k8s.io
    
  2. 如果是首次配置它,请运行以下命令以应用群集规则绑定:kubectl create -f LogReaderRBAC.yamlIf you are configuring it for the first time, you apply the cluster rule binding by running the following command: kubectl create -f LogReaderRBAC.yaml. 如果在我们引入实时事件日志之前,你已经启用了对实时日志预览版的支持,则请运行以下命令来更新配置:kubectl apply -f LogReaderRBAC.yamlIf you previously enabled support for live logs preview before we introduced live event logs, to update your configuration, run the following command: kubectl apply -f LogReaderRBAC.yaml.

为 AKS 配置 Azure Active DirectoryConfigure AKS with Azure Active Directory

可将 AKS 配置为使用 Azure Active Directory (AD) 进行用户身份验证。AKS can be configured to use Azure Active Directory (AD) for user authentication. 如果是第一次配置它,请参阅将 Azure Active Directory 与 Azure Kubernetes 服务集成If you are configuring it for the first time, see Integrate Azure Active Directory with Azure Kubernetes Service. 在创建客户端应用程序的步骤中,请指定以下内容:During the steps to create the client application, specify the following:

  • 重定向 URI:需要创建两个 Web 应用程序类型。Redirect URI: Two Web application types need to be created. 第一个基 URL 值应为 https://afd.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html,第二个基 URL 值应为 https://monitoring.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.htmlThe first base URL value should be https://afd.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html and the second base URL value should be https://monitoring.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html.
  • 注册应用程序以后,请在“概览”页的左窗格中选择“身份验证” 。After registering the application, from the Overview page select Authentication from the left-hand pane. 在“身份验证”页的“高级设置”下,隐式授予“访问令牌”和“ID 令牌”,然后保存所做的更改。 On the Authentication page, under Advanced settings implicitly grant Access tokens and ID tokens and then save your changes.

备注

通过 Azure Active Directory 配置身份验证以便实现单一登录的操作只能在初次部署新 AKS 群集过程中完成。Configuring authentication with Azure Active Directory for single-sign on can only be accomplished during initial deployment of a new AKS cluster. 不能为已部署的 AKS 群集配置单一登录。You cannot configure single-sign on for an AKS cluster already deployed.

重要

如果使用更新的 URI 重新配置了用于用户身份验证的 Azure AD,请清除浏览器的缓存,确保更新的身份验证令牌已下载并应用。If you reconfigured Azure AD for user authentication using the updated URI, clear your browser's cache to ensure the updated authentication token is downloaded and applied.

查看实时日志和事件View live logs and events

可以在“节点”、“控制器”和“容器”视图中查看容器引擎生成的实时日志事件。 You can view real-time log events as they are generated by the container engine from the Nodes, Controllers, and Containers view. 从属性窗格中选择“查看实时数据(预览)”选项, 此时一个窗格会呈现在性能数据表下面,你可以在其中查看持续流中的日志和事件。From the properties pane, you select View live data (preview) option and a pane is presented below the performance data table where you can view log and events in a continuous stream.

节点属性窗格的“查看实时日志”选项

日志和事件消息数存在限制,具体取决于在视图中选择的资源类型。Log and event messages are limited based on what resource type is selected in the view.

查看View 资源类型Resource type 日志或事件Log or event 显示的数据Data presented
NodesNodes 节点Node 事件Event 选择节点时,不会对事件进行筛选,会显示群集范围的 Kubernetes 事件。When a node is selected events are not filtered and show cluster-wide Kubernetes events. 窗格标题会显示群集的名称。The pane title shows the name of the cluster.
NodesNodes PodPod 事件Event 选择 Pod 时,会根据其命名空间对事件进行筛选。When a pod is selected events are filtered to its namespace. 窗格标题会显示 Pod 的命名空间。The pane title shows the namespace of the pod.
控制器Controllers PodPod 事件Event 选择 Pod 时,会根据其命名空间对事件进行筛选。When a pod is selected events are filtered to its namespace. 窗格标题会显示 Pod 的命名空间。The pane title shows the namespace of the pod.
控制器Controllers 控制器Controller 事件Event 选择控制器时,会根据其命名空间对事件进行筛选。When a controller is selected events are filtered to its namespace. 窗格标题会显示控制器的命名空间。The pane title shows the namespace of the controller.
节点/控制器/容器Nodes/Controllers/Containers 容器Container 日志Logs 窗格标题会显示进行容器分组时所使用的 Pod 的名称。The pane title shows the name of the pod the container is grouped with.

如果使用 AAD 为 AKS 群集配置了 SSO,系统会在该浏览器会话期间向你提示进行首次使用所需的身份验证。If the AKS cluster is configured with SSO using AAD, you are prompted to authenticate on first use during that browser session. 选择帐户,然后使用 Azure 完成身份验证。Select your account and complete authentication with Azure.

成功进行身份验证以后,实时日志窗格会显示在中间窗格的底部。After successfully authenticating, the live log pane will appear in the bottom section of the middle pane. 如果提取状态指示器显示绿色复选标记(位于窗格最右侧),则意味着可以检索数据。If the fetch status indicator shows a green check mark, which is on the far right of the pane, it means it can retrieve data.

实时日志窗格检索的数据

在搜索栏中,可以按关键字进行筛选,在日志或事件中突出显示该文本。在最右侧的搜索栏中,显示了有多少结果与筛选器匹配In the search bar, you can filter by key word to highlight that text in the log or event, and in the search bar on the far right, it shows how many results match out the filter.

实时日志窗格筛选器示例

在查看事件时,可以进一步对结果进行限制,只需使用在搜索栏右侧发现的“筛选器” 药丸图标即可。While viewing events, you can additionally limit the results using the Filter pill found to the right of the search bar. 根据所选资源,药丸图标会列出可供选择的 Pod、命名空间或群集。Depending on what resource you have selected, the pill lists a pod, namespace, or cluster to chose from.

若要暂停自动滚动并控制窗格的行为,以便通过手动方式滚动浏览读取的新数据,请单击“滚动”选项。 To suspend autoscroll and control the behavior of the pane and allow you to manually scroll through the new data read, click on the Scroll option. 若要重新启用自动滚动,请再次直接单击“滚动”选项。 To re-enable autoscroll, simply click the Scroll option again. 也可暂停对日志或事件数据的检索,只需单击“暂停”选项即可。准备继续时,请直接单击“开始”。 You can also pause retrieval of log or event data by clicking on the Pause option and when you are ready to resume, simply click Play.

实时日志窗格的暂停实时视图

可以转到 Azure Monitor 日志来查看容器历史日志,只需从下拉列表“在 Analytics 中查看”中选择“查看容器日志”即可。 You can go to Azure Monitor Logs to see historical container logs by selecting View container logs from the drop-down list View in analytics.

后续步骤Next steps