Traffic Log

The logs can be then forwarded to a collector that can further transmit them into systems like Splunk, ELK and Datadog.

Configuring access logs in Kuma is a 2-step process:

First, you need to configure logging backends that will be available for use in a given Mesh.

A logging backend is essentially a sink for access logs.

In the current release of Kuma, a logging backend can be either a file or a TCP log collector, such as Logstash.
Second, you need to create a TrafficLog policy to select a subset of traffic and forward its access logs into one of the logging backends configured for that Mesh.

type: TrafficLog
name: all-traffic
mesh: default
# This TrafficLog policy applies to all traffic in the Mesh.
sources:
  - match:
      service: '*'
destinations:
  - match:
      service: '*'
# When `backend ` field is omitted, the logs will be forwarded into the `defaultBackend` of that Mesh.

type: TrafficLog
name: backend-to-database-traffic
# this TrafficLog policy applies only to traffic from service `backend` to service `database`.
sources:
  - match:
      service: backend
destinations:
  - match:
      service: database
conf:
  # Forward the logs into the logging backend named `logstash`.
  backend: logstash

On Kubernetes

apiVersion: kuma.io/v1alpha1
kind: TrafficLog
metadata:
  namespace: kuma-example
mesh: default
spec:
  # This TrafficLog policy applies all traffic in that Mesh.
  sources:
    - match:
        service: '*'
    - match:
        service: '*'
  # When `backend ` field is omitted, the logs will be forwarded into the `defaultBackend` of that Mesh.

apiVersion: kuma.io/v1alpha1
kind: TrafficLog
metadata:
  namespace: kuma-example
  name: backend-to-database-traffic
spec:
  # This TrafficLog policy applies only to traffic from service `backend` to service `database`.
  sources:
    - match:
        service: backend.kuma-example.svc:8080
  destinations:
    - match:
        service: database.kuma-example.svc:5432
  conf:
    # Forward the logs into the logging backend named `logstash`.
    backend: logstash

Kuma gives you full control over the format of access logs.

The shape of a single log record is defined by a template string that uses to extract and format data about a TCP connection or an HTTP request.

E.g.,

where %START_TIME% and are examples of available command operators.

A complete set of supported command operators consists of:

All command operators supported by Envoy
Command operators unique to Kuma

The latter include:

Access Logs for TCP and HTTP traffic

If a command operator is specific to HTTP traffic, such as %REQ(X?Y):Z% or %RESP(X?Y):Z%, it will be replaced by a symbol “-“ in case of TCP traffic.

Internally, Kuma determines traffic protocol based on the value of protocol tag on the inbound interface of a destination Dataplane.

The default format string for TCP traffic is:

The default format string for HTTP traffic is:

[%START_TIME%] %KUMA_MESH% "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%KUMA_SOURCE_SERVICE%" "%KUMA_DESTINATION_SERVICE%" "%KUMA_SOURCE_ADDRESS_WITHOUT_PORT%" "%UPSTREAM_HOST%"

To provide different format for TCP and HTTP logging you can define two separate logging backends with the same address and different format. Then define two TrafficLog entity, one for TCP and one for HTTP with protocol: http selector.

If you need an access log with entries in JSON format, you have to provide a template string that is a valid JSON object, e.g.

Logging external services

When running Kuma on Kubernetes you can also log the traffic to external services. To do it, the matched TrafficPermission destination section has to have wildcard * value. In such case %KUMA_DESTINATION_SERVICE% will have value and %UPSTREAM_HOST% will have an IP of the service.