How to change logLevel for velero in AKS backup

Question

How to change logLevel for velero in AKS backup

Ian Cox 20

When you install the AKS backup extension it sets up velero with logLevel=debug. This generates a huge amount of logs (by far the biggest on our cluster). I want to only allow velero to log warning, but if I try and edit the deployment yaml for dataprotection-microsoft-kubernetes-agent it gets set back to debug.

I was hoping to be able to update it via something like this:

az k8s-extension update \
  --cluster-name <cluster-name> \
  --resource-group <resource-group> \
  --cluster-type managedClusters \
  --name azure-aks-backup \
  --configuration-settings "configuration.logLevel=debug"

but this fails with Ignoring unrecognized configuration setting: configuration.logLevel

Himanshu Shekhar 5,240 Reputation points Microsoft External Staff Moderator

2026-03-16T12:27:58.6433333+00:00

Ian Cox Connected - When the AKS Backup extension is installed, it deploys and manages Velero internally as part of a Microsoft‑managed extension. The Velero deployment (for example, dataprotection-microsoft-kubernetes-agent) is continuously reconciled by the extension controller, which is why:

Any manual changes made directly to the Velero deployment YAML are automatically reverted

Note : The Velero logLevel is hard‑coded to debug by design

The extension does not currently expose logLevel (or similar Velero runtime flags) as a supported configuration parameter. As a result, the following command fails by design because configuration.logLevel is not a supported extension setting:

az k8s-extension update ``\

--cluster-name ``<cluster-name> \

--resource-group ``<resource-group> \

--cluster-type managedClusters ``\

``--name azure-aks-backup \

--configuration-settings ``"configuration.logLevel=warning"

This results in: Ignoring unrecognized configuration setting: configuration.logLevel

Microsoft confirms that customizing Velero log verbosity is not supported when using the AKS Backup extension, as the extension owns the lifecycle and configuration of Velero pods and enforces a fixed configuration for reliability and supportability reasons.

Ref documentation you may refer - https://velero.io/docs/main/troubleshooting/ also reached for additional details via private messages
Ian Cox 20 Reputation points

2026-03-16T12:30:17.47+00:00

How can I reduce the amount of logs? This is by far the most expensive log we have at about 3GB per day. I guess I can exclude the namespace in insights monitor settings?
Ian Cox 20 Reputation points

2026-03-17T09:13:17.9966667+00:00

Thanks. I've excluded dataprotection-microsoft from stdout in the configmap. Seems to be doing the job.

Answer accepted by question author

0 additional answers

Your answer

Himanshu Shekhar 5,240 Reputation points Microsoft External Staff Moderator

2026-03-16T12:27:58.6433333+00:00

Ian Cox Connected - When the AKS Backup extension is installed, it deploys and manages Velero internally as part of a Microsoft‑managed extension. The Velero deployment (for example, dataprotection-microsoft-kubernetes-agent) is continuously reconciled by the extension controller, which is why:

Any manual changes made directly to the Velero deployment YAML are automatically reverted

Note : The Velero logLevel is hard‑coded to debug by design

The extension does not currently expose logLevel (or similar Velero runtime flags) as a supported configuration parameter. As a result, the following command fails by design because configuration.logLevel is not a supported extension setting:

az k8s-extension update ``\

--cluster-name ``<cluster-name> \

--resource-group ``<resource-group> \

--cluster-type managedClusters ``\

``--name azure-aks-backup \

--configuration-settings ``"configuration.logLevel=warning"

This results in: Ignoring unrecognized configuration setting: configuration.logLevel

Microsoft confirms that customizing Velero log verbosity is not supported when using the AKS Backup extension, as the extension owns the lifecycle and configuration of Velero pods and enforces a fixed configuration for reliability and supportability reasons.

Ref documentation you may refer - https://velero.io/docs/main/troubleshooting/ also reached for additional details via private messages
Ian Cox 20 Reputation points

2026-03-16T12:30:17.47+00:00

How can I reduce the amount of logs? This is by far the most expensive log we have at about 3GB per day. I guess I can exclude the namespace in insights monitor settings?
Ian Cox 20 Reputation points

2026-03-17T09:13:17.9966667+00:00

Thanks. I've excluded dataprotection-microsoft from stdout in the configmap. Seems to be doing the job.

Answer 1

Ian Cox

Container logs (ContainerLogV2) are usually the top cost driver. This must be done from the Azure Monitor agent ConfigMap, not just Insights settings. You can exclude entire namespaces from log collection.

For example ConfigMap snippet:

[log_collection_settings]
[log_collection_settings.stdout]
enabled = true
exclude_namespaces = ["kube-system", "velero", "gatekeeper-system"]
[log_collection_settings.stderr]
enabled = true
exclude_namespaces = ["kube-system", "velero", "gatekeeper-system"]

Filter container log collection with ConfigMap - https://docs.azure.cn/en-us/azure-monitor/containers/container-insights-data-collection-filter

If you’re still on legacy ContainerLog, you’re paying more than needed.

Key benefits of ContainerLogV2:

Supports Basic Logs (lower cost)
Better metadata, fewer joins
Default for newer clusters / AMA‑based onboarding

Supported and recommended by Microsoft - https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-logs-schema

f you cannot exclude an entire namespace, you can exclude specific workloads.

Add this annotation to the pod/deployment:

annotations:
  fluentbit.io/exclude: "true"

This prevents both stdout & stderr collection for that pod

You have mentioned “by far the most expensive log” this matches Velero running with logLevel=debug, which is a known issue. When installed via AKS Backup Extension, Velero is forced to debug and manual changes get reverted. Produces massive log volume

This is a known limitation, not a misconfiguration - https://stackoverflow.com/questions/73195665/aks-configured-container-insights-does-capture-excluded-namespaces

Post excluding dataprotection-microsoft from stdout in the configmap ,it's working fine.

Share via

How to change logLevel for velero in AKS backup

0 additional answers

Your answer