Manage Serverless Agent Logs

Even if the Sysdig workload agent runs in the same container as the workload it instruments, their log streams are handled separately.
  • Workload logs remain with whatever log setup you have on your task container.
  • Instrumentation logs, namely the logs coming from the workload agent, go to a separate log group created by the serverless instrumentation stack:


Currently, the log group name for instrumentation cannot be edited.

Instrumentation logs can be configured through the environment variables described below.

Set global log level

The environment variable SYSDIG_LOGGING sets the global instrumentation log level. It defaults to info.

Available options are: silent | fatal | critical | error | warning | info | debug | trace.

Logger fine-tuning

As of serverless agent version 4.0.0, the workload agent can be fine-tuned as described in Manage Agent Log Levels to avoid excessive logging from certain components, or to enable extra logging from specific components for troubleshooting.

You can fine-tune the logger of the workload agent through the environment variable SYSDIG_EXTRA_CONF.

For example, the configuration string that follows sets the global log level to info and the log level of the security_mgr component to warning.

SYSDIG_EXTRA_CONF="log: {  console_priority: info,  console_priority_by_component:   [ 'security_mgr: warning' ] }"

Log Forwarding

By default, the instrumentation logs are wrapped in JSON ojects and then forwarded to the <stack_name>-SysdigLogGroup-<uid> log group.

Log forwarding can be configured through the environment variables described below.

Environment VariableDefaultDescription
SYSDIG_ENABLE_LOG_FORWARDtrueEnables/disables the log forwarding. Set to false to disable the log forwarding.
SYSDIG_LOG_FORWARD_FORMATjsonDefines the format of the instrumentation log events. Set to text to get logs in plaintext.

For example, by disabling the log forwarding through the following configuration string, the workload agent logs will be stored along with the workload logs.


Note that when log forwarding is disabled, the log forwards format switches to text automatically.

Instead, to switch the forwarded instrumentation logs from JSON to text format, use the following configuration string:


You can also configure the log workload agent to forward logs to a different TCP endpoint through the environment variables below.

Environment VariableDefaultDescription
SYSDIG_LOG_LISTEN_PORT32000The port of the log listener.
SYSDIG_LOG_FORWARD_ADDRlocalhost:32000The TCP endpoint the logwriter of the workload agent listens.
SYSDIG_BUFFER_SIZE1024The size in bytes of the rx buffer of the TCP listener. Default 1024.
SYSDIG_DEADLINE_SECONDS3Connection deadline. You can increase it, if clients take longer to connect.