Istio access logs
Collect and review access logs to monitor the traffic to your Istio-enabled workloads.
About
Leverage the default Envoy access log collector to record logs for the Istio ingress gateway and Istio-enabled workloads in your service mesh. You can then review these logs to troubleshoot issues as-needed, or scrape these logs to view them in your larger platform logging system. The full record of each request includes source and destination metadata, such as the client ID that initiated the request. Auditors in your organization can use this information to detect malicious activity or unusual amounts of requests to your gateway.
To get started, enable the default Envoy access log collector in your Istio installation.
Enable access logging
Enable the default Envoy access log collector when you install or update Istio.
Allow your Istio-enabled workloads to produce access logs by updating your Istio installation.
If you use the Gloo Operator to manage Istio installations, create a ConfigMap that includes the following settings to configure Envoy to use the default Envoy log format, encode the logs in JSON format, and to store the log files under
/dev/stdout.kubectl apply -f- <<EOF apiVersion: v1 kind: ConfigMap metadata: name: gloo-extensions-config namespace: gloo-mesh data: values.istiod: | meshConfig: accessLogFile: /dev/stdout accessLogEncoding: JSON accessLogFormat: EOFReview the following table to understand this configuration.
Setting Description metadataFor the Gloo Operator to pick up the ConfigMap, the name must be gloo-extensions-configand the namespace must be the same as the Gloo Operator, such asgloo-mesh.accessLogFileSet the access log file to /dev/stdoutto log to the console.accessLogEncodingSet the access log encoding as TEXTorJSON. The default value isTEXT.accessLogFormatSet the access log format. If you omit this value, like in the example, the default Istio access log format is used. To change the format, see the Envoy docs. Follow the Istio documentation to enable Istio access logs.
Restart the ingress gateway to start collecting access logs.
kubectl rollout restart deployment istio-ingressgateway-$REVISION -n gloo-mesh-gatewaysView access logs
View the Envoy access logs that are recorded by default for the ingress gateway.
Save the external address of the ingress gateway.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSGenerate access logs by sending requests to any route in your Gloo Mesh Gateway setup.
curl -vik http://www.example.com:80/productpage --resolve www.example.com:80:$INGRESS_GW_ADDRESSView the access logs for the ingress gateway proxy.
kubectl logs -n gloo-mesh-gateways -l istio=ingressgatewayCheck the logs for the ingress gateway. All access logs for the requests that you previously sent are recorded. For example, the logs might look similar to the following:
{"authority":"www.example.com","requested_server_name":null,"protocol":"HTTP/1.1","route_name":"productpage-www-example-com.bookinfo.graham0","response_flags":"-","duration":2033,"start_time":"2023-04-20T15:05:31.963Z","request_id":"6aa61345-7c42-42fe-8797-ee31135ba1d9","bytes_sent":4183,"upstream_host":"10.40.1.34:9080","upstream_transport_failure_reason":null,"response_code_details":"via_upstream","upstream_cluster":"outbound|9080||productpage.bookinfo.svc.cluster.local","method":"GET","user_agent":"curl/7.79.1","upstream_local_address":"10.40.0.67:48142","upstream_service_time":"2032","bytes_received":0,"path":"/productpage","x_forwarded_for":"10.40.0.1","downstream_local_address":"10.40.0.67:8080","downstream_remote_address":"10.40.0.1:22305","connection_termination_details":null,"response_code":200}
For more information about the default log format, see the Istio default access log docs. To understand each field in the default format, see the Envoy access log docs.