Skip to main content
Collect and convert logs from different sources to OpenTelemetry’s structured log format. The OpenTelemetry Collector can collect logs from many different sources in common or custom formats. You can use a Collector as a logging agent, often as a drop-in replacement for other logging agents. This lets you process your logs, traces, and metrics in one place.

Use a Receiver to Collect Logs

The OpenTelemetry Collector supports a large number of receivers that can be used to collect logs from a variety of sources.

Setup

  1. Make sure you’re using the Collector Contrib distribution of the OpenTelemetry Collector, which contains contributions that are not part of the core repository and core distribution of the OpenTelemetry Collector.
  2. Prepare your collector configuration file by adding the following boilerplate:
    If you are sending OTLP logs from a service with a service.name defined, then the dataset for those logs will be the name of the service, and the x-honeycomb-dataset header will not be used.

Collect any Log with the Filelog Receiver

The Filelog Receiver supports reading and parsing any arbitrary log written to a file on a server. The Filelog Receiver is the most flexible receiver, but depending on the shape of your logs, it may require additional configuration to parse your logs correctly. For example, here is a configuration that reads an NGINX access log and parses it into a structured log:
Here’s a configuration that reads a JSON log:

Logs with Mixed Formats

Sometimes, logs have a mix of structured and unstructured information, such as an info log with JSON inside. To parse these, you need to parse each piece of the log into a specific element, and also know how to handle the structured information. For example, let’s say you have a log at /var/log/name-service/0.log that mixes text and JSON:
You can use a filelogreceiver configuration to do the following:
  1. Read the log from /var/log/name-service/*.log.
  2. Parse the full text of the log into a timestamp, severity, file name, message, and “details”.
  3. Parse the “details” text using a JSON parser, where each key in the JSON object is turned into an attribute for the log.
  4. Parse the service name from the file path.
  5. Sets the service.name resource with the parsed service name.
The following filelogreceiver configuration completes the required tasks:
The configuration produces a structured log that, when exported to Honeycomb, contains the following fields:
Use the Explore Data tab in Query Results to view the structured log in Honeycomb.

Log Sources

You can configure many different receivers to collect logs from a specific source.

AWS Cloudwatch

The AWS Cloudwatch Receiver supports autodiscovery of log groups and log streams in AWS Cloudwatch, with optional filtering of those sources. For example, here is a configuration that autodiscovers only EKS logs from us-west-1:

Azure Blob

The Azure Blob Receiver reads logs and trace data from Azure Blob Storage. For example, here is a configuration that reads logs from a specific container in Azure Blob Storage:

Azure Event Hub

The Azure Event Hub Receiver pulls logs from an Azure Event Hub and transforms them. For example, here is a configuration that reads logs from a specific parition and group, then structures them a structured JSON log:

Cloudflare

The Cloudflare Receiver accepts logs from CloudFlare’s LogPush Jobs. For example, here is a configuration that reads logs from a specific LogPush Job:

Fluent Forward

The Fluent Forward Receiver runs a TCP server that accepts logs via the Fluent Forward protocol, which enables collecting logs from Fluentbit and Fluentd. For example, here is a configuration that reads all logs on port 8006:

Google Pubsub

The Google Pubsub Receiver reads logs from a Google Pubsub subscription. For example, here is a configuration that reads raw text logs and wraps them into an OpenTelemetry Log:

Journald

The Journald Receiver parses Journald events from the systemd. For example, here is a configuration that reads all logs from Journald from some specific units:

Kafka

The Kafka Receiver reads logs, metrics, and traces from Kafka. For example, here is a configuration that reads all Kafka data:

Kubernetes

The OpenTelemetry Collector has several receivers that can be used to collect logs from Kubernetes. To learn more, visit Kubernetes Log Collection and Kubernetes Event Collection.

Loki

The Loki Receiver allows Promtail instances to send logs to the OpenTelemetry Collector. For example, here is a configuration that reads all logs from an endpoint:

MongoDB Atlas

The MongoDB Atlas Receiver reads logs from MongoDB Atlas. For example, here is a configuration that reads all logs from a specific project:

OTLPJson File

The OTLPJson File Receiver reads any existing OTLP Logs, Metrics, or Traces from a file on a server. For example, here is a configuration that reads from a specific directory and excludes a specific file:

Apache Pulsar

The Pulsar Receiver collects logs, metrics, and traces from Apache Pulsar. For example, here is a configuration that reads data from a Pulsar cluster:

SignalFx

The SignalFx Receiver reads logs from a SignalFx endpoint. For example, here is a configuration that reads data from a SignalFx endpoint:

Splunk HEC

The Splunk HEC Receiver accepts events in the Splunk HEC format. For example, here is a configuration that reads JSON HEC events and raw log data:

Syslog

The Syslog Receiver parses Syslogs received over UDP or TCP. For example, here is a configuration that reads Syslogs from TCP:

TCP

The TCP Receiver receives logs over TCP. For example, here is a configuration that reads logs from TCP over a particular address:

UDP

The UDP Receiver receives logs over UDP. For example, here is a configuration that reads logs from UDP over a particular address:

Webhook Event

The Webhook Event Receiver allows for any webhook-style data source to send logs to the OpenTelemetry Collector. For example, here is a configuration that reads logs from a webhook:

Windows Log Event

The Windows Log Event Receiver tails and parses logs from the Windows event log API. For example, here is a configuration that reads logs from a named channel: