Envoy Access Logs

Setup Istio by following the instructions in the Installation guide.

The egress gateway and access logging will be enabled if you install the demo .
Deploy the sleep sample app to use as a test source for sending requests. If you have enabled, run the following command to deploy the sample app:

Zip

Otherwise, manually inject the sidecar before deploying the sleep application with the following command:
```
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
```
You can use any pod with curl installed as a test source.

Set the SOURCE_POD environment variable to the name of your source pod:

$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})

Start the httpbin sample.

If you have enabled , deploy the httpbin service:
```
$ kubectl apply -f @samples/httpbin/httpbin.yaml@
```
Otherwise, you have to manually inject the sidecar before deploying the httpbin application:

Zip

Istio offers a few ways to enable access logs. Use of the Telemetry API is recommended

The Telemetry API can be used to enable or disable access logs:

apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
  namespace: istio-system
spec:
  accessLogging:
  - {}

The above example provides and empty object ({}), as we do not want to configure anything other than default settings.

Similar configuration can also be applied on an individual namespace, or to an individual workload, to control logging at a fine grained level.

For more information about using the Telemetry API, see the .

If you used an IstioOperator CR to install Istio, add the following field to your configuration:

spec:
  meshConfig:
    accessLogFile: /dev/stdout

Otherwise, add the equivalent setting to your original istioctl install command, for example:

$ istioctl install <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout

You can also choose between JSON and text by setting accessLogEncoding to JSON or TEXT.

Refer to global mesh options for more information on all three of these settings:

meshConfig.accessLogFile
meshConfig.accessLogEncoding
meshConfig.accessLogFormat

Istio will use the following default access log format if accessLogFormat is not specified:

The following table shows an example using the default access log format for a request sent from sleep to httpbin:

Send a request from sleep to httpbin:

$ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -v httpbin:8000/status/418
...
< HTTP/1.1 418 Unknown
< server: envoy
...
    -=[ teapot ]=-
       _...._
     .'  _ _ `.
    | ."` ^ `". _,
    \_;`"---"`|//
      |       ;/
      \_     _/
        `"""`

Check sleep’s log:

$ kubectl logs -l app=sleep -c istio-proxy
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream - "-" 0 135 4 4 "-" "curl/7.73.0-DEV" "84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "10.44.1.27:80" outbound|8000||httpbin.foo.svc.cluster.local 10.44.1.23:37652 10.0.45.184:8000 10.44.1.23:46520 - default

Check httpbin’s log:

$ kubectl logs -l app=httpbin -c istio-proxy
[2020-11-25T21:26:18.409Z] "GET /status/418 HTTP/1.1" 418 - via_upstream - "-" 0 135 3 1 "-" "curl/7.73.0-DEV" "84961386-6d84-929d-98bd-c5aee93b5c88" "httpbin:8000" "127.0.0.1:80" inbound|8000|| 127.0.0.1:41854 10.44.1.27:80 10.44.1.23:37652 outbound_.8000_._.httpbin.foo.svc.cluster.local default

Note that the messages corresponding to the request appear in logs of the Istio proxies of both the source and the destination, sleep and httpbin, respectively. You can see in the log the HTTP verb (GET), the HTTP path (/status/418), the response code (418) and other .

Shutdown the sleep and services:

Zip

Remove, or set to "", the meshConfig.accessLogFile setting in your Istio install configuration.

$ istioctl install --set profile=default
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed