Access Logs

This topic describes configuration and usage for access logs. Consul can emit access logs to record application connections and requests that pass through proxies in a service mesh, including sidecar proxies and gateways. You can use the application traffic records in access to logs to help you performance the following operations:

  • Diagnosing and Troubleshooting Issues: Operators and application owners can identify configuration issues in the service mesh or the application by analyzing failed connections and requests.
  • Threat Detection: Operators can review details about unauthorized attempts to access the service mesh and their origins.
  • Audit Compliance: Operators can use access less for security compliance requirements for traffic entering and exiting the service mesh through gateways.

Consul supports access logs capture through Envoy proxies started through the consul connect envoy CLI command and consul-dataplane. Other proxies are not supported.

Enable access logs

Access logs configurations are defined globally in the proxy-defaults configuration entry.

The following example is a minimal configuration for enabling access logs:

  1. Kind      = "proxy-defaults"
  2. Name      = "global"
  3. AccessLogs {
  4.   Enabled = true
  5. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: ProxyDefaults
  3. metadata:
  4.   name: global
  5. spec:
  6.   accessLogs:
  7.     enabled: true
  1. {
  2.   "Kind": "proxy-defaults",
  3.   "Name": "global",
  4.   "AccessLogs": {
  5.     "Enabled": true
  6.   }
  7. }

All proxies, including sidecars and gateways, emit access logs when the behavior is enabled. Both inbound and outbound traffic through the proxy are logged, including requests made directly to Envoy’s administration interface.

If you enable access logs after the Envoy proxy was started, access logs for the administration interface are not captured until you restart the proxy.

Default log format

Access logs use the following format when no additional customization is provided:

Security warning: The following log format contains IP addresses which may be a data compliance issue, depending on your regulatory environment. Operators should carefully inspect their chosen access log format to prevent leaking sensitive or personally identifiable information.

  1. {
  2.     "start_time":                        "%START_TIME%",
  3.     "route_name":                        "%ROUTE_NAME%",
  4.     "method":                            "%REQ(:METHOD)%",
  5.     "path":                              "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
  6.     "protocol":                          "%PROTOCOL%",
  7.     "response_code":                     "%RESPONSE_CODE%",
  8.     "response_flags":                    "%RESPONSE_FLAGS%",
  9.     "response_code_details":             "%RESPONSE_CODE_DETAILS%",
  10.     "connection_termination_details":    "%CONNECTION_TERMINATION_DETAILS%",
  11.     "bytes_received":                    "%BYTES_RECEIVED%",
  12.     "bytes_sent":                        "%BYTES_SENT%",
  13.     "duration":                          "%DURATION%",
  14.     "upstream_service_time":             "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
  15.     "x_forwarded_for":                   "%REQ(X-FORWARDED-FOR)%",
  16.     "user_agent":                        "%REQ(USER-AGENT)%",
  17.     "request_id":                        "%REQ(X-REQUEST-ID)%",
  18.     "authority":                         "%REQ(:AUTHORITY)%",
  19.     "upstream_host":                     "%UPSTREAM_HOST%",
  20.     "upstream_cluster":                  "%UPSTREAM_CLUSTER%",
  21.     "upstream_local_address":            "%UPSTREAM_LOCAL_ADDRESS%",
  22.     "downstream_local_address":          "%DOWNSTREAM_LOCAL_ADDRESS%",
  23.     "downstream_remote_address":         "%DOWNSTREAM_REMOTE_ADDRESS%",
  24.     "requested_server_name":             "%REQUESTED_SERVER_NAME%",
  25.     "upstream_transport_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
  26. }

Depending on the connection type, such TCP or HTTP, some of these fields may be empty.

Custom log format

Envoy uses command operators to expose information about application traffic. You can use these fields to customize the access logs that proxies emit.

Custom logs can be either JSON format or text format.

JSON format

You can format access logs in JSON so that you can parse them with Application Monitoring Platforms (APMs).

To use a custom access log, in the proxy-defaults configuration entry, set JSONFormat to the string representation of the desired JSON.

Nesting is supported.

  1. Kind      = "proxy-defaults"
  2. Name      = "global"
  3. AccessLogs {
  4.   Enabled = true
  5.   JSONFormat = <<EOF
  6. {
  7.     "myCustomKey" : {
  8.         "myStartTime" : "%START_TIME%",
  9.         "myProtocol" : "%PROTOCOL%"
  10.     }
  11. }
  12. EOF
  13. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: ProxyDefaults
  3. metadata:
  4.   name: global
  5. spec:
  6.   accessLogs:
  7.     enabled: true
  8.     jsonFormat: |
  9.       {
  10.         "myCustomKey" : {
  11.           "myStartTime" : "%START_TIME%",
  12.           "myProtocol" : "%PROTOCOL%"
  13.         }
  14.       }
  1. {
  2.   "Kind": "proxy-defaults",
  3.   "Name": "global",
  4.   "AccessLogs": {
  5.     "Enabled": true,
  6.     "JSONFormat": "{ \"myCustomKey\" : { \"myStartTime\" : \"%START_TIME%\", \"myProtocol\" : \"%PROTOCOL%\"} }"
  7.   }
  8. }

Text format

To use a custom access log formatted in plaintext, in the proxy-defaults configuration entry, set TextFormat to the desired customized string.

New lines are automatically added to the end of the log to keep each access log on its own line in the output.

  1. Kind      = "proxy-defaults"
  2. Name      = "global"
  3. AccessLogs {
  4.   Enabled = true
  5.   TextFormat = "MY START TIME: %START_TIME%, THIS CONNECTIONS PROTOCOL IS %PROTOCOL%" 
  6. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: ProxyDefaults
  3. metadata:
  4.   name: global
  5. spec:
  6.   accessLogs:
  7.     enabled: true
  8.     textFormat: "MY START TIME: %START_TIME%, THIS CONNECTIONS PROTOCOL IS %PROTOCOL%"
  1. {
  2.   "Kind": "proxy-defaults",
  3.   "Name": "global",
  4.   "AccessLogs": {
  5.     "Enabled": true,
  6.     "JSONFormat": "MY START TIME: %START_TIME%, THIS CONNECTIONS PROTOCOL IS %PROTOCOL%" 
  7.   }
  8. }

Kubernetes

As part of its normal operation, the Envoy debugging logs for the consul-dataplane, envoy, or envoy-sidecar containers are written to stderr. The access log Type is set to stdout by default for access logs when enabled. Use a log aggregating solution to separate the machine-readable access logs from the Envoy process debug logs.

Write to a file

You can configure Consul to write access logs to a file on the host where Envoy runs.

Envoy does not rotate log files. A log rotation solution, such as logrotate, can prevent access logs from consuming too much of the host’s disk space when writing to a file.

  1. Kind      = "proxy-defaults"
  2. Name      = "global"
  3. AccessLogs {
  4.   Enabled = true
  5.   Type = "file"
  6.   Path = "/var/log/envoy/access-logs.txt" 
  7. }
  1. apiVersion: consul.hashicorp.com/v1alpha1
  2. kind: ProxyDefaults
  3. metadata:
  4.   name: global
  5. spec:
  6.   accessLogs:
  7.     enabled: true
  8.     type: file
  9.     path: "/var/log/envoy/access-logs.txt"
  1. {
  2.   "Kind": "proxy-defaults",
  3.   "Name": "global",
  4.   "AccessLogs": {
  5.     "Enabled": true,
  6.     "Type": "file",
  7.     "Path": "/var/log/envoy/access-logs.txt"
  8.   }
  9. }