Istio access logs

Collect and review access logs to monitor the traffic to Istio-enabled workloads.

Leverage the default Envoy access log collector to record logs for the Istio ingress gateway and Istio-enabled workloads in your service mesh. You can then review these logs to troubleshoot issues as-needed, or scrape these logs to view them in your larger platform logging system. The full record of each request includes source and destination metadata, such as the client ID that initiated the request. Auditors in your organization can use this information to detect malicious activity or unusual amounts of requests to your gateway.

To get started, enable the default Envoy access log collector in your Istio installation.

Before you begin

This guide assumes that you use the same names for components like clusters, workspaces, and namespaces as in the getting started. If you have different names, make sure to update the sample configuration files in this guide.
  1. Complete the multicluster getting started guide to set up the following testing environment.
    • Three clusters along with environment variables for the clusters and their Kubernetes contexts.
    • The Gloo Platform CLI, meshctl, along with other CLI tools such as kubectl and istioctl.
    • The Gloo management server in the management cluster, and the Gloo agents in the workload clusters.
    • Istio installed in the workload clusters.
    • A simple Gloo workspace setup.
  2. Install Bookinfo and other sample apps.

Enable access logging

Enable the default Envoy access log collector when you install or update Istio.

  1. Instrument the Istio-enabled workloads in your cluster to produce access logs by updating your Istio installation. The following example meshConfig options configure Envoy to use the default Envoy log format, encode the logs in JSON format, and to store the log files under /dev/stdout. You can add these meshConfig settings to new or existing Istio installations in the following ways:

    ...
    meshConfig:
      # Enable access logging to /dev/stdout
      accessLogFile: /dev/stdout
      # Encoding for the access log (TEXT or JSON). Default value is TEXT.
      accessLogEncoding: JSON
      # If empty, the default log format is used.
      # See the default log format at https://istio.io/latest/docs/tasks/observability/logs/access-log/#default-access-log-format
      # To change the format, see https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#format-rules
      accessLogFormat: 
    
  2. Restart the workloads that you want to collect access logs for. For example, to restart the product page app, run the following command.

    kubectl rollout restart deployment productpage-v1 -n bookinfo --context $REMOTE_CONTEXT1  
    

View access logs

View the Envoy access logs that are recorded by default for workloads in your service mesh.

Note that the following example steps assume that you followed the multicluster getting started guide and Bookinfo sample app guide to install Bookinfo in your workload cluster. However, you can edit these example steps for your own apps as well.

  1. Create a temporary container with the curl utility in the same namespace as the ratings Bookinfo service.

    kubectl run -it -n bookinfo --context $REMOTE_CONTEXT1 curl \
      --image=curlimages/curl:7.73.0 --rm  -- sh
    
  2. From the new terminal, generate access logs by sending requests to ratings. Type exit when you're done.

    curl http://ratings:9080/ratings/1 -v
    
  3. View the ratings access logs.

    kubectl logs -l app=ratings -c istio-proxy -n bookinfo --context $REMOTE_CONTEXT1 
    
  4. Check the logs for the ratings app. All access logs for the requests that you previously sent are recorded. For example, the logs might look similar to the following:

    [2022-06-17T00:29:40.135Z] "GET /ratings/1 HTTP/1.1" 200 - via_upstream - "-" 0 48 2 1 "-" "curl/7.73.0-DEV" "8bdf59f8-0608-4d39-ac73-268519068afb" "ratings:9080" "10.24.1.17:9080" inbound|9080|| 127.0.0.6:59801 10.24.1.17:9080 10.24.0.21:48722 outbound_.9080_._.ratings.bookinfo.svc.cluster.local default
    [2022-06-17T00:30:08.114Z] "GET /ratings/1 HTTP/1.1" 200 - via_upstream - "-" 0 48 2 2 "-" "curl/7.73.0-DEV" "248926bd-ca16-42a6-866d-d2ab5a1440ee" "ratings:9080" "10.24.1.17:9080" inbound|9080|| 127.0.0.6:47333 10.24.1.17:9080 10.24.0.21:48672 outbound_.9080_._.ratings.bookinfo.svc.cluster.local default