Set up the Dynatrace GCP log integration in a Kubernetes container (GKE)

Dynatrace version 1.230+

As an alternative to the main deployment, that provides Google Cloud Platform monitoring for both metrics and logs, you can choose to set up monitoring for logs only. In this scenario, you'll run the deployment script in Google Cloud Shell. Instructions will depend on the location where you want the deployment script to run:

On a new GKE Autopilot cluster created automatically recommended
On an existing GKE standard or GKE Autopilot cluster

During setup, a new Pub/Sub subscription will be created. GKE will run a log forwarder container. After installation, you'll get logs, dashboards, and alerts for your configured services in Dynatrace.

For other deployment options, see Alternative deployment scenarios.

This page describes how to install version 1.0 of the GCP integration on a GKE cluster.

If you already have an earlier version installed, you need to migrate.

Limitations

Dynatrace GCP log integration supports a maximum of 2 GB of data processing per hour. With bigger loads, messages will start to be retained in the PubSub Subscription. To measure latency, look for these metrics: Oldest unacked message age and Unacked messages. For scaling recommendations, see the scaling guide below.

Prerequisites

To deploy the integration, you need to make sure the following requirements are met on the machine where you are running the installation.

Linux OS only
Internet access
GKE Cluster access
Dynatrace environment access

You need to configure the Dynatrace endpoint (environment, cluster or ActiveGate URL) to which the GKE autopilot cluster should send metrics and logs. Make sure that you have direct network access or, if there is a proxy or any other component present in between, that communication is not affected.

Tools

You can deploy the Dynatrace GCP integration in Google Cloud Shell or in bash.

If you use bash, you need to install:

GCP permissions

Running the deployment script requires a list of permissions. You need to create a custom role (see below) and use it to deploy dynatrace-gcp-monitor.

Create a YAML file named dynatrace-gcp-monitor-helm-deployment-role.yaml with the following content:

1title: Dynatrace GCP Monitor helm deployment role
2description: Role for Dynatrace GCP Monitor helm and pubsub deployment
3stage: GA
4includedPermissions:
5  - container.clusters.get
6  - container.configMaps.create
7  - container.configMaps.delete
8  - container.configMaps.get
9  - container.configMaps.update
10  - container.deployments.create
11  - container.deployments.delete
12  - container.deployments.get
13  - container.deployments.update
14  - container.namespaces.create
15  - container.namespaces.get
16  - container.pods.get
17  - container.pods.list
18  - container.secrets.create
19  - container.secrets.delete
20  - container.secrets.get
21  - container.secrets.list
22  - container.secrets.update
23  - container.serviceAccounts.create
24  - container.serviceAccounts.delete
25  - container.serviceAccounts.get
26  - iam.roles.create
27  - iam.roles.list
28  - iam.roles.update
29  - iam.serviceAccounts.actAs
30  - iam.serviceAccounts.create
31  - iam.serviceAccounts.getIamPolicy
32  - iam.serviceAccounts.list
33  - iam.serviceAccounts.setIamPolicy
34  - pubsub.subscriptions.create
35  - pubsub.subscriptions.get
36  - pubsub.subscriptions.list
37  - pubsub.topics.attachSubscription
38  - pubsub.topics.create
39  - pubsub.topics.getIamPolicy
40  - pubsub.topics.list
41  - pubsub.topics.setIamPolicy
42  - pubsub.topics.update
43  - resourcemanager.projects.get
44  - resourcemanager.projects.getIamPolicy
45  - resourcemanager.projects.setIamPolicy
46  - serviceusage.services.enable
47  - serviceusage.services.get
48  - serviceusage.services.list

Each group of permissions is used to handle the different resources included in the integration. Creation and access are for new resources, update is for reusing existing resources, and deletion is for uninstalling.

container.configMaps: for mapping secrets and other variables used by the containers.
container.deployments: for the K8s' deployment within the cluster (which includes the pods, containers, etc.).
container.namespaces: for the K8s namespace in which we are deploying the resources.
container.pods: for the K8s pods.
container.secrets: for the K8s secrets in which to store the data-sensitive variables.
container.serviceAccounts: for the SA to be taken in the K8s context.
iam.roles: for the necessary permissions for data collection.
iam.serviceAccounts: for the general context SA.
resourcemanager.projects: for handling the project in which we are deploying our integration.
serviceusage.services: for handling the services' APIs.
pubsub.subscriptions: for the PubSub subscription we are using to collect and ingest logs.
pubsub.topics: for the PubSub topic we are using to collect and ingest logs.

Run the command below, replacing <your_project_ID> with the project ID where you want to deploy the Dynatrace integration.

1gcloud iam roles create dynatrace_monitor.helm_deployment --project=<your_project_ID> --file=dynatrace-gcp-monitor-helm-deployment-role.yaml

Be sure to add this role to your GCP user. For details, see Grant or revoke a single role.

Configure log export

Run the following shell script in the GCP project you've selected for deployment.

Be sure to replace <your-subscription-name> and <your-topic-name> with your own values.

1wget https://raw.githubusercontent.com/dynatrace-oss/dynatrace-gcp-monitor/master/scripts/deploy-pubsub.sh
2chmod +x deploy-pubsub.sh
3./deploy-pubsub.sh --topic-name <your-topic-name> --subscription-name <your-subscription-name>

Configure log export to send the desired logs to the GCP Pub/Sub topic created above.

Dynatrace permissions

Create an API token and enable the following permission: Ingest logs (API v2).

Log ingestion

If you are using Log Monitoring v1, enable the latest version of Dynatrace log monitoring.
Determine where log ingestion will be performed, according to your deployment. This distinction is important when configuring the parameters for this integration.
- For SaaS deployments: SaaS log ingest, where log ingestion is performed directly through the Cluster API. recommended
- For Managed deployments: You can use an existing ActiveGate for log ingestion. For information on how to deploy it, see ActiveGate installation.

Because of GCP's implementation of Cloud Function 2nd gen, logs from those resources will be linked to the underlying Cloud Run instances. Both extensions will have to be enabled.

To learn more, visit Google Cloud Functions version comparison.

Install

Complete the steps below to finish your setup.

ownload the Helm deployment package in Google Cloud Shell

Configure parameter values

Connect your Kubernetes cluster

Run the deployment script

Download the Helm deployment package in Google Cloud Shell

1wget -q "https://github.com/dynatrace-oss/dynatrace-gcp-monitor/releases/latest/download/helm-deployment-package.tar"; tar -xvf helm-deployment-package.tar; chmod +x helm-deployment-package/deploy-helm.sh

Configure parameter values

The Helm deployment package contains a values.yaml file with the necessary configuration for this deployment. Go to helm-deployment-package/dynatrace-gcp-monitorand edit the values.yaml file, setting the required and optional parameter values as follows.

You might want to store this file somewhere for future updates, since it will be needed in case of redeployments. Also, keep in mind that its schema can change. In such case, you should use the new file and only copy over the parameter values.

Parameter name	Description	Default value
`gcpProjectId`	required The ID of the GCP project you've selected for deployment.	Your current project ID
`deploymentType`	required Set to 'logs'.	`all`
`dynatraceAccessKey`	required Your Dynatrace API token with the required permissions.
`dynatraceUrl`	required For SaaS log ingestion, it's your environment URL (`https://<your-environment-id>.live.dynatrace.com`). For Managed log ingestion, it's your cluster URL (`https:/<your_cluster_IP_or_hostname>/e/<your_environment_ID>`). For Managed log ingestion with an existing ActiveGate, it's the URL of your ActiveGate (`https://<your_activegate_IP_or_hostname>:9999/e/<your_environment_ID>`). Note: To determine `<your-environment-id>`, see environment ID.
`logsSubscriptionId`	required The ID of your log Sink Pub/Sub subscription. For details, see Configure log export.
`requireValidCertificate`	optional If set to `true`, Dynatrace requires the SSL certificate of your Dynatrace environment. For SaaS log ingestion, we recommend leaving the default value. For Managed log ingestion with a new ActiveGate, we recommend setting this value to `false`.	`true`
`selfMonitoringEnabled`	optional Send custom metrics to GCP to quickly diagnose if `dynatrace-gcp-monitor` processes and sends logs to Dynatrace properly. For details, see Self-monitoring metrics for the Dynatrace GCP integration.	`false`
`serviceAccount`	optional Name of the service account to be created.
`dockerImage`	optionalDynatrace GCP Monitor Docker image. We recommend using the default value, but you can adapt it if needed.	`dynatrace/dynatrace-gcp-monitor:v1-latest`
`logIngestContentMaxLength`	optional The maximum content length of a log event. Should be the same as or lower than the setting on your Dynatrace environment.	`8192`
`logIngestAttributeValueMaxLength`	optional The maximum length of the log event attribute value. If it exceeds the server limit, content will be truncated.	`250`
`logIngestRequestMaxEvents`	optional The maximum number of log events in a single payload to the logs ingestion endpoint. If it exceeds the server limit, payload will be rejected with code `413`.	`5000`
`logIngestRequestMaxSize`	optional The maximum size in bytes of a single payload to the logs ingestion endpoint. If it exceeds the server limit, payload will be rejected with code `413`.	`1048576`
`logIngestEventMaxAgeSeconds`	optional Determines the maximum age of a forwarded log event. Should be the same as or lower than the setting on your Dynatrace environment.	`86400`

Choose which services you want Dynatrace to monitor.

By default, the Dynatrace GCP integration starts monitoring a set of selected services. Go to Google Cloud Platform supported service metrics for a list of supported services.

For DDU consumptiom information, see Monitoring consumption.

Connect your Kubernetes cluster

If you want to have a new GKE Autopilot cluster created by the deployment script, add --create-autopilot-cluster to the script. Setting up the connection to the cluster will happen automatically in this case and you can proceed to step 4.
If you run the deployment script on an existing standard GKE or GKE Autopilot cluster, you can connect to your cluster from the GCP console or via terminal. Follow the instructions below.

In your GCP console, go to your Kubernetes Engine.
Select Clusters, and then select Connect.
Select Run in Cloud Shell.

Run the deployment script

If you run the deployment script on an existing standard GKE or GKE Autopilot cluster, the deployment script will create an IAM service account with the necessary roles and deploy dynatrace-gcp-monitor to your Kubernetes cluster.
If you run the deployment script with the --create-autopilot-cluster option, the deployment script will automatically create the new GKE Autopilot cluster and deploy dynatrace-gcp-monitor to it.

To run the deployment script, follow the instructions below.

The latest versions of GCP extensions will be uploaded. You have two options:

Run the deployment script without parameters if you want to use the default values provided (dynatrace-gcp-monitor-sa for the IAM service account name and dynatrace_monitor for the IAM role name prefix):

1cd helm-deployment-package
2./deploy-helm.sh

Run the deployment script with parameters if you want to set your own values (be sure to replace the placeholders with your desired values):

1cd helm-deployment-package
2./deploy-helm.sh [--role-name <role-to-be-created/updated>]

To keep the existing versions of present extensions and install the latest versions for the rest of the selected extensions, if they are not present, run the command below instead.

1cd helm-deployment-package
2./deploy-helm.sh --without-extensions-upgrade

Verify installation

To check whether installation was successful

Check if the container is running.

After the installation, it may take couple of minutes until the container is up and running.
```
1kubectl -n dynatrace get pods
```
Check the container logs for errors or exceptions. You have two options:

Run the following command.

1kubectl -n dynatrace logs -l app=dynatrace-gcp-monitor -c dynatrace-gcp-monitor-logs

Check if dashboards are imported.

In the Dynatrace menu, go to Dashboards and filter by Tag for Google Cloud. A number of dashboards for Google Cloud Services should be available.

Enable alerting

To activate alerting, you need to enable metric events for alerting in Dynatrace.

To enable metric events

In the Dynatrace menu, go to Settings.
In Anomaly detection, select Metric events.
Filter for GCP alerts and turn on On/Off for the alerts you want to activate.

View logs

After deploying the integration, you can view and analyze GCP logs in the Dynatrace menu, if you go to Logs and filter by cloud.provider: gcp.

Change deployment settings

Change parameters from `values.yaml`

To load a new values.yaml file, you need to upgrade your Helm release.

To update your Helm release

Find out what Helm release version you're using.
```
1helm ls -n dynatrace
```
Run the command below, making sure to replace <your-helm-release> with the value from the previous step.
```
1helm upgrade <your-helm-release> dynatrace-gcp-monitor -n dynatrace
```

For details, see Helm upgrade.

Change deployment type

To change the deployment type (all, metrics, or logs)

Find out what Helm release version you're using.
```
1helm ls -n dynatrace
```
Uninstall the release.

Be sure to replace <your-helm-release> with the release name from the previous output.
```
1helm uninstall <your-helm-release> -n dynatrace
```
Edit deploymentType in values.yaml with the new value and save the file.
Run the deployment command again. For details, see Run the deployment script.

Troubleshoot

To investigate potential deployment and connectivity issues

Verify installation
Enable self-monitoring optional
Check the dynatrace_gcp_<date_time>.log log file created during the installation process.

This file will be created each time the installation script runs.
The debug information won't contain sensitive data such as the Dynatrace access key.
If you are contacting a Dynatrace product expert via live chat:
- Make sure to provide the dynatrace_gcp_<date_time>.log log file described in the previous step.
- Provide version information.
  - For issues during installation, check the version.txt file.
  - For issues during runtime, check container logs.

Scaling guide for logs

If the load is at the limit of 2 GB of data per hour or it presents spikes in consumption, providing more vCPU to the logs container is a short-term solution. Increasing it up to 1 vCPU can help to handle 50% more logs (up to 3 GB of data per hour) without reducing the throughput from the PubSub Subscription, but it won't be stable.

Currently, the only way to scale is horizontally: deploy separate integrations in a separate cluster's namespaces. To distribute the logs' load, divide the PubSub Topic, Subscription, and Log Router accordingly.

Uninstall

Find out what Helm release version you're using.

1helm ls -n dynatrace

Uninstall the release.

Be sure to replace <your-helm-release> with the release name from the previous output.

1helm uninstall <your-helm-release> -n dynatrace

Alternatively, you can delete the namespace.

1kubectl delete namespace dynatrace

To remove all monitoring assets (dashboards, alerts, etc) from Dynatrace, you need to remove all GCP extensions.

To remove an extension

In the Dynatrace menu, go to Extensions and search for the GCP extensions.
Select an extension you want to remove, and then select the trash icon in the Actions column to remove it.

Repeat the procedure until you remove all GCP extensions.

Make sure to uninstall the following resources manually:

The initial Role created and attached to the Service Account that you used to deploy the integration.
The PubSub Topic.
The PubSub Subscription.
The LogRoute Sink.

Monitoring consumption

DDU consumption applies to cloud Log Monitoring. See DDUs for Log Monitoring for details.