Huawei Cloud CCE Log Analyzer

Overview

Query and analyze Kubernetes Pod stdout logs, CCE LogConfig-collected application logs, and Huawei Cloud LTS log streams for CCE workloads.

Architecture: scripts/huawei-cloud.py dispatcher → cce.py (Pod stdout) / cce_app_logs.py (LogConfig discovery & app log stream matching) / lts.py (LTS group/stream/query) → K8s API / CCE OpenAPI / LTS API

Related Skills:

• huawei-cloud-cce-pod-failure-diagnoser - Pod startup, scheduling, crash-loop diagnosis
• huawei-cloud-cce-workload-failure-diagnoser - Deployment/StatefulSet rollout issues
• huawei-cloud-cce-node-failure-diagnoser - Node NotReady, disk pressure, network issues
• huawei-cloud-cce-kubernetes-event-analyzer - Kubernetes Warning events and patterns

Capabilities:

• Query Kubernetes Pod stdout/stderr and previous container logs
• List, create, and delete CCE LogConfig collection rules
• Discover application LogConfig policies and map to LTS log groups/streams
• Query CCE Kubernetes audit logs for Pod deletion and workload change events
• Query application logs from LTS by time range, keywords, or recent hours
• Analyze application logs for abnormal keywords, HTTP errors, incident windows, recovery time, and abnormal ratios

Typical Use Cases:

• "Check my Pod logs for crash errors"
• "Find the LTS stream for my application"
• "Query recent application logs for ERROR keywords"
• "Analyze logs in the last hour for abnormalities"
• "Who deleted this Pod? Check audit logs"
• "Create a LogConfig to collect my workload stdout"
• "Remove this LogConfig collection rule"
• "Query container file logs from /var/log/*.log"

Prerequisites

1. Python Runtime

• Python 3.8+ installed
• Run python3 --version to verify

2. Huawei Cloud Credentials

• Valid Huawei Cloud credentials (AK/SK mode)
• Security Rules:
  • 🚫 Never expose AK/SK values in code, conversation, or output
  • 🚫 Never use echo $HUAWEI_CLOUD_AK or echo $HUAWEI_CLOUD_SK to check credentials
  • ✅ Use environment variables: HUAWEI_CLOUD_AK, HUAWEI_CLOUD_SK, HUAWEI_CLOUD_REGION
  • ✅ Prefer IAM users over root account for cloud operations

Configuration Method (Environment Variables):

export HUAWEI_CLOUD_AK=<your-ak>
export HUAWEI_CLOUD_SK=<your-sk>
export HUAWEI_CLOUD_REGION=cn-north-4

3. IAM Permission Requirements

API Action	Permission	Purpose
cce:cluster:get	Get cluster	View cluster details
cce:logConfig:list	List LogConfig	Query LogConfig collection rules
cce:logConfig:create	Create LogConfig	Create log collection rules
cce:logConfig:delete	Delete LogConfig	Remove log collection rules
lts:logs:list	List LTS logs	Query log streams and log records
lts:groups:list	List LTS groups	Query log group information

Security Constraints

Dangerous Operation Confirmation Mechanism

This skill enforces a preview-then-confirm mechanism for all mutating operations.

Operation	Risk Level	Description
huawei_create_cce_logconfig	🟡 Medium	Creates a LogConfig collection rule; preview by default, create with confirm=true
huawei_delete_cce_logconfig	🟠 High	Deletes a LogConfig collection rule; preview by default, delete with confirm=true

Process: Call without confirm=true → inspect preview output → user confirms → call with confirm=true

Credential & Data Security

• Never expose AK/SK, tokens, kubeconfig certificates, or full sensitive log payloads in summaries
• Redact tokens, passwords, cookies, authorization headers, and personally identifiable data from log output
• Prefer time-bounded queries — if no time range provided, use recent logs with small limits

Scope Boundaries

• This skill is read-only by default for log queries and LogConfig inspection
• Creating/deleting LogConfig is allowed only through the dedicated tools with confirm=true
• Do not modify workloads, LTS groups/streams, or other cloud resources
• If logs indicate failures, hand off to the relevant diagnosis skill with evidence, do not remediate here

Scenario Routing

User Intent	Tool(s)	Reference Document
Query Pod stdout/stderr logs	huawei_get_pod_logs	references/workflow.md
Query previous terminated container logs	huawei_get_pod_logs (previous=true)	references/workflow.md
List cluster LogConfig rules	huawei_get_cce_logconfigs	references/workflow.md
Create LogConfig for stdout/file collection	huawei_create_cce_logconfig	references/workflow.md
Delete a LogConfig rule	huawei_delete_cce_logconfig	references/workflow.md
Discover app LTS stream mapping	huawei_get_application_logconfigs	references/workflow.md
Query audit logs for Pod deletion	huawei_query_cce_audit_logs	references/workflow.md
Query audit logs for workload changes	huawei_query_cce_audit_logs	references/workflow.md
Query recent application logs	huawei_query_application_recent_logs	references/workflow.md
Query application logs in time window	huawei_query_application_logs	references/workflow.md
Analyze logs for abnormalities	huawei_analyze_application_logs	references/workflow.md
Risk constraints & guardrails	—	references/risk-rules.md
Output schema reference	—	references/output-schema.md

Core Commands

1. Kubernetes Pod Stdout Logs

# Query recent stdout from a Pod
python3 scripts/huawei-cloud.py huawei_get_pod_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  namespace=default \
  pod_name=<pod-name> \
  tail_lines=200

# Query previous terminated container logs
python3 scripts/huawei-cloud.py huawei_get_pod_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  namespace=default \
  pod_name=<pod-name> \
  container=<container-name> \
  previous=true \
  tail_lines=200

2. LogConfig Discovery & Management

# List all LogConfig resources in a cluster
python3 scripts/huawei-cloud.py huawei_get_cce_logconfigs \
  region=cn-north-4 \
  cluster_id=<cluster-id>

# Discover app LTS stream from LogConfig
python3 scripts/huawei-cloud.py huawei_get_application_logconfigs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  namespace=default \
  app_name=<workload-name>

# Preview then create a workload stdout LogConfig
python3 scripts/huawei-cloud.py huawei_create_cce_logconfig \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  logconfig_name=<policy-name> \
  source_type=container_stdout \
  workload_namespace=default \
  workload_name=<workload-name> \
  workload_kind=Deployment \
  log_group_id=<lts-group-id> \
  log_stream_id=<lts-stream-id>
# Then call again with confirm=true after user confirms

# Preview then create a container file LogConfig
python3 scripts/huawei-cloud.py huawei_create_cce_logconfig \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  logconfig_name=<policy-name> \
  source_type=container_file \
  workload_namespace=default \
  workload_name=<workload-name> \
  workload_kind=Deployment \
  container=<container-name> \
  log_path=/var/log \
  file_pattern="*.log" \
  log_group_id=<lts-group-id> \
  log_stream_id=<lts-stream-id>
# Then call again with confirm=true after user confirms

# Preview then delete a LogConfig
python3 scripts/huawei-cloud.py huawei_delete_cce_logconfig \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  logconfig_name=<policy-name> \
  logconfig_namespace=kube-system
# Then call again with confirm=true after user confirms

3. CCE Audit Logs

# Query Pod deletion audit events
python3 scripts/huawei-cloud.py huawei_query_cce_audit_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  audit_type=pod_delete \
  namespace=default \
  hours=6 \
  log_group_id=<audit-lts-group-id> \
  log_stream_id=<audit-lts-stream-id>

# Query workload change audit events
python3 scripts/huawei-cloud.py huawei_query_cce_audit_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  audit_type=workload_change \
  namespace=default \
  start_time="2026-05-30 10:00:00" \
  end_time="2026-05-30 11:00:00"

4. Application Log Query & Analysis

# Query recent application logs from a specific LogConfig policy
python3 scripts/huawei-cloud.py huawei_query_application_recent_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  namespace=default \
  app_name=<workload-name> \
  logconfig_name=<policy-name> \
  hours=1 \
  keywords=ERROR \
  auto_paginate=true \
  max_pages=5 \
  limit=100

# Analyze an application log window for abnormal logs
python3 scripts/huawei-cloud.py huawei_analyze_application_logs \
  region=cn-north-4 \
  cluster_id=<cluster-id> \
  namespace=default \
  app_name=<workload-name> \
  logconfig_name=<policy-name> \
  start_time="2026-05-30 10:00:00" \
  end_time="2026-05-30 11:00:00" \
  auto_paginate=true \
  max_pages=5 \
  limit=1000

Parameter Reference

Common Parameters

Parameter	Required	Description	Default
region	Yes	Huawei Cloud region ID	cn-north-4
cluster_id	Yes	CCE cluster ID	—
namespace	Most tools	Kubernetes namespace	default

Pod Log Parameters

Parameter	Tool	Required	Description	Constraints
pod_name	huawei_get_pod_logs	Yes	Pod name	Must reference existing Pod
container	huawei_get_pod_logs	No	Container name	Required for multi-container Pods
previous	huawei_get_pod_logs	No	Previous terminated container	true/false
tail_lines	huawei_get_pod_logs	No	Number of recent lines	Recommended 100-500

LogConfig Parameters

Parameter	Tool	Required	Description	Constraints
logconfig_name	create/delete	Yes	LogConfig policy name	Unique within namespace
source_type	create	Yes	Collection source type	container_stdout or container_file
workload_name	create	Yes	Target workload name	Must reference existing workload
workload_kind	create	Yes	Workload type	Deployment, StatefulSet, DaemonSet
workload_namespace	create	Yes	Workload namespace	—
container	create (file)	No	Container name	Required for container_file
log_path	create (file)	No	Log file directory path	Required when source_type=container_file
file_pattern	create (file)	No	File name pattern	e.g. *.log
log_group_id	create	Yes	LTS log group ID	Must reference existing LTS group
log_stream_id	create	Yes	LTS log stream ID	Must reference existing LTS stream
confirm	create/delete	No	Execute confirmation	Preview without it; true to execute
logconfig_namespace	delete	Yes	LogConfig namespace	—

Audit Log Parameters

Parameter	Tool	Required	Description	Constraints
audit_type	huawei_query_cce_audit_logs	No	Keyword preset	pod_delete or workload_change
hours	audit	No	Recent hours window	Used when no start_time/end_time
start_time	audit	No	Start time	YYYY-MM-DD HH:MM:SS format
end_time	audit	No	End time	YYYY-MM-DD HH:MM:SS format
log_group_id	audit	Recommended	Audit LTS group ID	Auto-discovered if omitted
log_stream_id	audit	Recommended	Audit LTS stream ID	Auto-discovered if omitted

Application Log Parameters

Parameter	Tool	Required	Description	Constraints
app_name	app log tools	Yes	Workload name	Must reference existing workload
logconfig_name	app log tools	No	Specific LogConfig policy	Selects from matched streams
policy_name	app log tools	No	Specific policy name	Alternative to logconfig_name
keywords	app log tools	No	Keyword filter	LTS keyword search
hours	recent logs	No	Recent hours window	Default 1
start_time	time-range logs	No	Start time	YYYY-MM-DD HH:MM:SS format
end_time	time-range logs	No	End time	YYYY-MM-DD HH:MM:SS format
auto_paginate	app log tools	No	Enable pagination	true/false
max_pages	app log tools	No	Max pages to fetch	Caps total work when paginating
limit	app log tools	No	Per-page size	Recommended 100-1000

Common Region IDs

Region Name	Region ID
North China - Beijing 4	cn-north-4
North China - Beijing 1	cn-north-1
East China - Shanghai 1	cn-east-3
East China - Shanghai 2	cn-east-2
South China - Guangzhou	cn-south-1
South China - Shenzhen	cn-south-4
Southwest China - Guiyang 1	cn-southwest-2
Asia Pacific - Bangkok	ap-southeast-2
Asia Pacific - Singapore	ap-southeast-1
Asia Pacific - Hong Kong	ap-southeast-3
Europe - Paris	eu-west-0

Best Practices

1. Narrowest scope first — use Pod stdout when the user names a Pod, application LTS logs when they name a workload
2. Recent windows before broad searches — prefer hours=1 or tail_lines=100-500 before full historical queries
3. Discover before querying — call huawei_get_application_logconfigs first to find the right LogConfig policy, then pass logconfig_name or policy_name to query tools
4. Preview before mutating — always call create/delete LogConfig without confirm=true first; only call with confirm=true after user reviews the preview
5. Use auto_paginate for multi-page results — set auto_paginate=true with max_pages to cap total work; limit controls per-page size
6. Redact sensitive data — never include tokens, passwords, cookies, authorization headers, or PII in log summaries
7. Group repeated patterns — when summarizing logs, group repeated lines by pattern and include counts
8. Hand off for remediation — if logs indicate Pod startup, image pull, scheduling, node, or network failures, recommend the corresponding diagnosis skill with exact evidence

Common Pitfalls

Pitfall	Symptom	Quick Fix
Missing LogConfig for app	No LTS stream found	Create LogConfig with huawei_create_cce_logconfig
Wrong LogConfig policy	Logs from wrong stream	Use huawei_get_application_logconfigs to discover correct policy
keywords filter skews analysis ratios	Abnormal ratio too high/low	Do not set keywords unless user explicitly wants keyword-scoped ratios
Audit type misunderstood	Audit results too broad/narrow	audit_type is keyword preset only; pod_delete adds delete+pods, workload_change adds workload-related keywords
No confirm=true on create/delete	Preview-only, no actual change	Call again with confirm=true after reviewing preview
Large time window without pagination	Partial or slow results	Use auto_paginate=true with max_pages and reasonable limit
Previous container log not found	"previous" flag on running container	Use previous=true only when container has restarted; check Pod status first
AK/SK exposed in output	Credential leak	Redact all credentials; summarize patterns instead of raw values

Notes

• LogConfig tools are the only mutation path — creating and deleting LogConfig resources is only supported through huawei_create_cce_logconfig and huawei_delete_cce_logconfig with confirm=true
• Audit logs are keyword-based — huawei_query_cce_audit_logs uses pure keyword search over LTS audit content; all convenience parameters (pod_name, resource_name, workload_name, namespace, user, verb, resource, status_code) are converted into keywords, not parsed-field filters
• stdout vs container_file — use source_type=container_stdout for Pod standard output, source_type=container_file for application file logs collected from paths like /var/log/*.log
• Analysis tool denominator — huawei_analyze_application_logs calculates ratios over the queried log set; adding keywords changes the denominator to only matched logs, so avoid it unless explicitly requested
• Analysis returns — abnormal ratio, log rates, first/last abnormal time, observed recovery time, incident windows, top patterns, status-code distribution, and samples

Output Format

All tools return JSON with structured log data, analysis results, or LogConfig previews. See references/output-schema.md for detailed response schemas.

Verification

1. Run environment check script
2. Query a known Pod log with huawei_get_recent_logs
3. Verify the LogConfig preview/confirm workflow
4. Confirm read-only behavior for query operations

Reference Documents

Document	Description
workflow.md	Detailed workflow for Pod stdout, application LTS logs, LogConfig management, and audit queries
risk-rules.md	Risk constraints, security rules, and scope boundaries
output-schema.md	Log query and analysis output schema reference