Traffic Log

With the TrafficLog policy you can configure access logging on every Envoy data-plane belonging to the Mesh. These logs can then be collected by any agent to be inserted into systems like Splunk, ELK and Datadog. The first step is to configure backends for the Mesh. A backend can be either a file or a TCP service (like Logstash). Second step is to create a TrafficLog entity to select connections to log.

On Universal:

  1. type: Mesh
  2. name: default
  3. mtls:
  4.   ca:
  5.     builtin: {}
  6.   enabled: true
  7. logging:
  8.   defaultBackend: file
  9.   backends:
  10.     - name: logstash
  11.       format: |
  12.         {
  13.             "destination": "%UPSTREAM_CLUSTER%",
  14.             "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
  15.             "source": "%KUMA_DOWNSTREAM_CLUSTER%",
  16.             "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
  17.             "bytesReceived": "%BYTES_RECEIVED%",
  18.             "bytesSent": "%BYTES_SENT%"
  19.         }
  20.       tcp:
  21.         address: 127.0.0.1:5000
  22.     - name: file
  23.       file:
  24.         path: /tmp/access.log
  1. type: TrafficLog
  2. name: all-traffic
  3. mesh: default
  4. sources:
  5.   - match:
  6.       service: '*'
  7. destinations:
  8.   - match:
  9.       service: '*'
  10. # if omitted, the default logging backend of that mesh will be used
  1. type: TrafficLog
  2. name: backend-to-database-traffic
  3. mesh: default
  4. sources:
  5.   - match:
  6.       service: backend
  7. destinations:
  8.   - match:
  9.       service: database
  10. conf:
  11.   backend: logstash

On Kubernetes:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   name: default
  5. spec:
  6.   mtls:
  7.     ca:
  8.       builtin: {}
  9.     enabled: true
  10.   logging:
  11.     defaultBackend: file
  12.     backends:
  13.       - name: logstash
  14.         format: |
  15.           {
  16.               "destination": "%UPSTREAM_CLUSTER%",
  17.               "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
  18.               "source": "%KUMA_DOWNSTREAM_CLUSTER%",
  19.               "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
  20.               "bytesReceived": "%BYTES_RECEIVED%",
  21.               "bytesSent": "%BYTES_SENT%"
  22.           }
  23.         tcp:
  24.           address: 127.0.0.1:5000
  25.       - name: file
  26.         file:
  27.           path: /tmp/access.log
  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficLog
  3. metadata:
  4.   namespace: kuma-system
  5.   name: all-traffic
  6. spec:
  7.   sources:
  8.     - match:
  9.         service: '*'
  10.   destinations:
  11.     - match:
  12.         service: '*'
  13.   # if omitted, the default logging backend of that mesh will be used
  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficLog
  3. metadata:
  4.   namespace: kuma-system
  5.   name: backend-to-database-traffic
  6. spec:
  7.   sources:
  8.     - match:
  9.         service: backend
  10.   destinations:
  11.     - match:
  12.         service: database
  13.   conf:
  14.     backend: logstash

If a backend in TrafficLog is not explicitly specified, the defaultBackend from Mesh will be used.

In the format field, you can use standard Envoy placeholdersTraffic Log - 图1 for TCP as well as a few additional placeholders:

  • %KUMA_SOURCE_ADDRESS% - source address of the Dataplane
  • %KUMA_SOURCE_SERVICE% - source service from which traffic is sent
  • %KUMA_DESTINATION_SERVICE% - destination service to which traffic is sent