Istio access logs

Collect and review access logs to monitor the traffic to your Istio-enabled workloads.

About

Leverage the default Envoy access log collector to record logs for the Istio ingress gateway and Istio-enabled workloads in your service mesh. You can then review these logs to troubleshoot issues as-needed, or scrape these logs to view them in your larger platform logging system. The full record of each request includes source and destination metadata, such as the client ID that initiated the request. Auditors in your organization can use this information to detect malicious activity or unusual amounts of requests to your gateway.

To get started, enable the default Envoy access log collector in your Istio installation.

Enable access logging

Enable the default Envoy access log collector when you install or update Istio.

Allow your Istio-enabled workloads to produce access logs by updating your Istio installation.

If you use the Gloo Operator to manage Istio installations, create a ConfigMap that includes the following settings to configure Envoy to use the default Envoy log format, encode the logs in JSON format, and to store the log files under /dev/stdout.

kubectl apply -f- <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: gloo-extensions-config
  namespace: gloo-mesh
data:
  values.istiod: |
    meshConfig:
      accessLogFile: /dev/stdout
      accessLogEncoding: JSON
      accessLogFormat:
EOF

Review the following table to understand this configuration.

Setting	Description
`metadata`	For the Gloo Operator to pick up the ConfigMap, the name must be `gloo-extensions-config` and the namespace must be the same as the Gloo Operator, such as `gloo-mesh`.
`accessLogFile`	Set the access log file to `/dev/stdout` to log to the console.
`accessLogEncoding`	Set the access log encoding as `TEXT` or `JSON`. The default value is `TEXT`.
`accessLogFormat`	Set the access log format. If you omit this value, like in the example, the default Istio access log format is used. To change the format, see the Envoy docs.

Follow the Istio documentation to enable Istio access logs.

Restart the workloads or gateways that you want to collect access logs for.

Workloads, such as the Bookinfo productpage app:

kubectl rollout restart deployment productpage-v1 -n bookinfo --context $REMOTE_CONTEXT

Gateways, such as the ingress gateway:

kubectl rollout restart deployment istio-ingressgateway -n istio-ingress --context $REMOTE_CONTEXT

View access logs

View the Envoy access logs that are recorded by default for workloads in your service mesh.

The following example steps assume that you installed the Bookinfo app in your cluster. You can follow the multicluster getting started guide and Bookinfo sample app guide to install Bookinfo. However, you can edit these example steps for your own apps as well.

Create a temporary container with the curl utility in the same namespace as the ratings Bookinfo service.

kubectl run -it --context $REMOTE_CONTEXT1 -n bookinfo curl \
  --image=curlimages/curl:7.73.0 --rm  -- sh

From the new terminal, generate access logs by sending requests to ratings. Type exit when you’re done.
```
curl http://ratings:9080/ratings/1 -v
```

View the ratings access logs.

kubectl logs -l app=ratings -c istio-proxy --context $REMOTE_CONTEXT1 -n bookinfo

Check the logs for the ratings app. All access logs for the requests that you previously sent are recorded. For example, the logs might look similar to the following:

JSON format example

{"authority":"reviews:9080","bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"10.x.xx.xxx:9080","downstream_remote_address":"10.x.xx.xxx:57722","duration":1,"method":"GET","path":"/reviews/1","protocol":"HTTP/1.1","request_id":"3a75edce-e5fd-4f92-8ecb-3f4e21a7dcb4","requested_server_name":"outbound_.9080_._.reviews.bookinfo.svc.cluster.local","response_code":429,"response_code_details":"request_rate_limited","response_flags":"RL","route_name":"default","start_time":"2025-05-06T20:58:22.164Z","upstream_cluster":"inbound|9080||","upstream_host":null,"upstream_local_address":null,"upstream_service_time":null,"upstream_transport_failure_reason":null,"user_agent":"curl/7.73.0-DEV","x_forwarded_for":null}

Text format example

[2022-06-17T00:29:40.135Z] "GET /ratings/1 HTTP/1.1" 200 - via_upstream - "-" 0 48 2 1 "-" "curl/7.73.0-DEV" "8bdf59f8-0608-4d39-ac73-268519068afb" "ratings:9080" "10.24.1.17:9080" inbound|9080|| 127.0.0.6:59801 10.24.1.17:9080 10.24.0.21:48722 outbound_.9080_._.ratings.bookinfo.svc.cluster.local default
[2022-06-17T00:30:08.114Z] "GET /ratings/1 HTTP/1.1" 200 - via_upstream - "-" 0 48 2 2 "-" "curl/7.73.0-DEV" "248926bd-ca16-42a6-866d-d2ab5a1440ee" "ratings:9080" "10.24.1.17:9080" inbound|9080|| 127.0.0.6:47333 10.24.1.17:9080 10.24.0.21:48672 outbound_.9080_._.ratings.bookinfo.svc.cluster.local default

Jaeger