|
| 1 | +--- |
| 2 | +title: Stream Azure Spring Apps job logs in real time |
| 3 | +description: Learn how to use log streaming to view job logs in real time. |
| 4 | +author: KarlErickson |
| 5 | +ms.author: jiec |
| 6 | +ms.service: spring-apps |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 05/29/2024 |
| 9 | +ms.custom: devx-track-java, devx-track-extended-java, devx-track-azurecli |
| 10 | +--- |
| 11 | + |
| 12 | +# Stream Azure Spring Apps job logs in real time (Preview) |
| 13 | + |
| 14 | +> [!NOTE] |
| 15 | +> Azure Spring Apps is the new name for the Azure Spring Cloud service. Although the service has a new name, you'll see the old name in some places for a while as we work to update assets such as screenshots, videos, and diagrams. |
| 16 | +
|
| 17 | +**This article applies to:** ❌ Basic/Standard ✔️ Enterprise |
| 18 | + |
| 19 | +This article describes how to use the Azure CLI to get real-time logs of jobs for troubleshooting. You can also use diagnostics settings to analyze diagnostics data in Azure Spring Apps. For more information, see [Analyze logs and metrics with diagnostics settings](./diagnostic-services.md). For more information on streaming logs, see [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md) and [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md). |
| 20 | + |
| 21 | +## Prerequisites |
| 22 | + |
| 23 | +- [Azure CLI](/cli/azure/install-azure-cli) with the Azure Spring Apps extension, version 1.24.0 or higher. You can install the extension by using the following command: `az extension add --name spring`. |
| 24 | + |
| 25 | +## Assign an Azure role |
| 26 | + |
| 27 | +To stream logs of jobs, you must have the relevant Azure roles assigned to you. The following table lists the required role and the operations for which this role is granted permission: |
| 28 | + |
| 29 | +| Required role | Operations | |
| 30 | +|---------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------| |
| 31 | +| Azure Spring Apps Job Log Reader Role | `Microsoft.AppPlatform/Spring/jobs/executions/logstream/action` <br/> `Microsoft.AppPlatform/Spring/jobs/executions/listInstances/action` | |
| 32 | + |
| 33 | +### [Azure portal](#tab/azure-Portal) |
| 34 | + |
| 35 | +Use the following steps to assign an Azure role using the Azure portal: |
| 36 | + |
| 37 | +1. Open the [Azure portal](https://portal.azure.com). |
| 38 | + |
| 39 | +1. Open your Azure Spring Apps service instance. |
| 40 | + |
| 41 | +1. In the navigation pane, select **Access Control (IAM)**. |
| 42 | + |
| 43 | +1. On the **Access Control (IAM)** page, select **Add**, and then select **Add role assignment**. |
| 44 | + |
| 45 | + :::image type="content" source="media/how-to-job-log-streaming/add-role-assignment.png" alt-text="Screenshot of the Azure portal that shows the Access Control (IAM) page with the Add role assignment option highlighted." lightbox="media/how-to-job-log-streaming/add-role-assignment.png"::: |
| 46 | + |
| 47 | +1. On the **Add role assignment** page, in the **Name** list, search for and select the target role, and then select **Next**. |
| 48 | + |
| 49 | + :::image type="content" source="media/how-to-job-log-streaming/job-log-reader-role.png" alt-text="Screenshot of the Azure portal that shows the Add role assignment page with the Azure Spring Apps Job Log Reader Role name highlighted." lightbox="media/how-to-job-log-streaming/job-log-reader-role.png"::: |
| 50 | + |
| 51 | +1. Select **Members** and then search for and select your username. |
| 52 | + |
| 53 | +1. Select **Review + assign**. |
| 54 | + |
| 55 | +### [Azure CLI](#tab/azure-CLI) |
| 56 | + |
| 57 | +Use the following command to assign an Azure role: |
| 58 | + |
| 59 | + ```azurecli |
| 60 | + az role assignment create \ |
| 61 | + --role "<Log-reader-role-for-job>" \ |
| 62 | + --scope "<service-instance-resource-id>" \ |
| 63 | + --assignee "<your-identity>" |
| 64 | + ``` |
| 65 | + |
| 66 | +--- |
| 67 | + |
| 68 | +## List all instances in a job execution |
| 69 | + |
| 70 | +Every time a job is triggered, a new job execution is created. Also, depending on the parallelism setting for your job, several replicas or instances execute in parallel. |
| 71 | + |
| 72 | +Use the following command to list all instances in a job execution: |
| 73 | + |
| 74 | +```azurecli |
| 75 | +az spring job execution instance list \ |
| 76 | + --resource-group <resource-group-name> \ |
| 77 | + --service <Azure-Spring-Apps-instance-name> \ |
| 78 | + --job <job-name> \ |
| 79 | + --execution <job-execution-name> |
| 80 | +``` |
| 81 | + |
| 82 | +## View tail logs |
| 83 | + |
| 84 | +This section provides examples of using the Azure CLI to produce tail logs. |
| 85 | + |
| 86 | +### View tail logs for a specific instance |
| 87 | + |
| 88 | +To view the tail logs for a specific instance, use the `az spring job logs` command with the `-i/--instance` argument, as shown in the following example: |
| 89 | + |
| 90 | +```azurecli |
| 91 | +az spring job logs \ |
| 92 | + --resource-group <resource-group-name> \ |
| 93 | + --service <Azure-Spring-Apps-instance-name> \ |
| 94 | + --name <job-name> \ |
| 95 | + --execution <job-execution-name> \ |
| 96 | + --instance <instance-name> |
| 97 | +``` |
| 98 | + |
| 99 | +### View tail logs for all instances in one command |
| 100 | + |
| 101 | +To view the tail logs for all instances, use the `--all-instances` argument, as shown in the following example. The instance name is the prefix of each log line. When there are multiple instances, logs are printed in batch for each instance. This way logs of one instance aren't interleaved with the logs of another instance. |
| 102 | + |
| 103 | +```azurecli |
| 104 | +az spring job logs \ |
| 105 | + --resource-group <resource-group-name> \ |
| 106 | + --service <Azure-Spring-Apps-instance-name> \ |
| 107 | + --name <job-name> \ |
| 108 | + --execution <job-execution-name> \ |
| 109 | + --all-instances |
| 110 | +``` |
| 111 | + |
| 112 | +## Stream new logs continuously |
| 113 | + |
| 114 | +By default, `az spring job logs` prints only existing logs streamed to the console and then exits. If you want to stream new logs, add the `-f/--follow` argument. |
| 115 | + |
| 116 | +When you use the `-f/--follow` option to tail instant logs, the Azure Spring Apps log streaming service sends heartbeat logs to the client every minute unless the job is writing logs constantly. Heartbeat log messages use the following format: `2023-12-18 09:12:17.745: No log from server`. |
| 117 | + |
| 118 | +### Stream logs for a specific instance |
| 119 | + |
| 120 | +Use the following command to stream logs for a specific instance: |
| 121 | + |
| 122 | +```azurecli |
| 123 | +az spring job logs \ |
| 124 | + --resource-group <resource-group-name> \ |
| 125 | + --service <Azure-Spring-Apps-instance-name> \ |
| 126 | + --name <job-name> \ |
| 127 | + --execution <job-execution-name> \ |
| 128 | + --instance <instance-name> \ |
| 129 | + --follow |
| 130 | +``` |
| 131 | + |
| 132 | +### Stream logs for all instances |
| 133 | + |
| 134 | +Use the following command to stream logs for all instances: |
| 135 | + |
| 136 | +```azurecli |
| 137 | +az spring job logs \ |
| 138 | + --resource-group <resource-group-name> \ |
| 139 | + --service <Azure-Spring-Apps-instance-name> \ |
| 140 | + --name <job-name> \ |
| 141 | + --execution <job-execution-name> \ |
| 142 | + --all-instances \ |
| 143 | + --follow |
| 144 | +``` |
| 145 | + |
| 146 | +When you stream logs for multiple instances in a job execution, the logs of one instance interleave with the logs of others. |
| 147 | + |
| 148 | +## Stream logs in a virtual network injection instance |
| 149 | + |
| 150 | +For an Azure Spring Apps instance deployed in a custom virtual network, you can access log streaming by default from a private network. For more information, see [Deploy Azure Spring Apps in a virtual network](./how-to-deploy-in-azure-virtual-network.md) |
| 151 | + |
| 152 | +Azure Spring Apps also enables you to access real-time job logs from a public network. |
| 153 | + |
| 154 | +> [!NOTE] |
| 155 | +> Enabling the log streaming endpoint on the public network adds a public inbound IP to your virtual network. Be sure to use caution if this is a concern for you. |
| 156 | +
|
| 157 | +### [Azure portal](#tab/azure-Portal) |
| 158 | + |
| 159 | +Use the following steps to enable a log streaming endpoint on the public network: |
| 160 | + |
| 161 | +1. Select the Azure Spring Apps service instance deployed in your virtual network and then select **Networking** in the navigation menu. |
| 162 | + |
| 163 | +1. Select the **Vnet injection** tab. |
| 164 | + |
| 165 | +1. Switch the status of **Dataplane resources on public network** to **Enable** to enable a log streaming endpoint on the public network. This process takes a few minutes. |
| 166 | + |
| 167 | + :::image type="content" source="media/how-to-job-log-streaming/dataplane-public-endpoint.png" alt-text="Screenshot of the Azure portal that shows the Networking page with the Vnet injection tab selected and the Troubleshooting section highlighted." lightbox="media/how-to-job-log-streaming/dataplane-public-endpoint.png"::: |
| 168 | + |
| 169 | +### [Azure CLI](#tab/azure-CLI) |
| 170 | + |
| 171 | +Use the following command to enable the log stream public endpoint: |
| 172 | + |
| 173 | +```azurecli |
| 174 | +az spring update \ |
| 175 | + --resource-group <resource-group-name> \ |
| 176 | + --service <service-instance-name> \ |
| 177 | + --enable-dataplane-public-endpoint true |
| 178 | +``` |
| 179 | + |
| 180 | +--- |
| 181 | + |
| 182 | +After you enable the log stream public endpoint, you can access the job logs from a public network just like you would access a normal instance. |
| 183 | + |
| 184 | +## Secure traffic to the log streaming public endpoint |
| 185 | + |
| 186 | +Log streaming for jobs uses Azure RBAC to authenticate the connections to the jobs. As a result, only users who have the proper roles can access the logs. |
| 187 | + |
| 188 | +To ensure the security of your jobs when you expose a public endpoint for them, secure the endpoint by filtering network traffic to your service with a network security group. For more information, see [Tutorial: Filter network traffic with a network security group using the Azure portal](../../virtual-network/tutorial-filter-network-traffic.md). A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. |
| 189 | + |
| 190 | +> [!NOTE] |
| 191 | +> If you can't access job logs in the virtual network injection instance from the internet after you enable a log stream public endpoint, check your network security group to see whether you've allowed such inbound traffic. |
| 192 | +
|
| 193 | +The following table shows an example of a basic rule that we recommend. You can use commands like `nslookup` with the endpoint `<service-name>.private.azuremicroservices.io` to get the target IP address of a service. |
| 194 | + |
| 195 | +| Priority | Name | Port | Protocol | Source | Destination | Action | |
| 196 | +|----------|-----------|------|----------|----------|--------------------|--------| |
| 197 | +| 100 | Rule name | 80 | TCP | Internet | Service IP address | Allow | |
| 198 | +| 110 | Rule name | 443 | TCP | Internet | Service IP address | Allow | |
| 199 | + |
| 200 | +## Next steps |
| 201 | + |
| 202 | +- [Troubleshoot VMware Spring Cloud Gateway](./how-to-troubleshoot-enterprise-spring-cloud-gateway.md) |
| 203 | +- [Use Application Configuration Service](./how-to-enterprise-application-configuration-service.md) |
| 204 | +- [Stream Azure Spring Apps application console logs in real time](./how-to-log-streaming.md) |
| 205 | +- [Stream Azure Spring Apps managed component logs in real time](./how-to-managed-component-log-streaming.md) |
0 commit comments