Getting Envoy's Access Logs

The simplest kind of Istio logging is Envoy’s access logging. Envoy proxies print access information to their standard output. The standard output of Envoy’s containers can then be printed by the kubectl logs command.

Before you begin

  • Setup Istio by following the instructions in the Installation guide.

  • Deploy the sleep sample app to use as a test source for sending requests. If you have automatic sidecar injection enabled, run the following command to deploy the sample app:

    $ kubectl apply -f @samples/sleep/sleep.yaml@

    Otherwise, manually inject the sidecar before deploying the sleep application with the following command:

    $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
  • Set the SOURCE_POD environment variable to the name of your source pod:

    $ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={})
  • Start the httpbin sample.

    If you have enabled automatic sidecar injection, deploy the httpbin service:

    $ kubectl apply -f @samples/httpbin/httpbin.yaml@

    Otherwise, you have to manually inject the sidecar before deploying the httpbin application:

    $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@)

Enable Envoy’s access logging

Edit the istio configuration map:

$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml --set global.proxy.accessLogFile="/dev/stdout" | kubectl replace -f -
configmap "istio" replaced

You can also choose between JSON and text by setting accessLogEncoding to JSON or TEXT.

You may also want to customize the format of the access log by editing accessLogFormat.

  • global.proxy.accessLogFile
  • global.proxy.accessLogEncoding
  • global.proxy.accessLogFormat

Test the access log

  1. Send a request from sleep to httpbin:

    $ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0]}') -c sleep -- curl -v httpbin:8000/status/418
    *   Trying
    * TCP_NODELAY set
    * Connected to httpbin ( port 8000 (#0)
    > GET /status/418 HTTP/1.1
    < HTTP/1.1 418 Unknown
    < server: envoy
        -=[ teapot ]=-
         .'  _ _ `.
        | ."` ^ `". _,
          |       ;/
          \_     _/
    * Connection #0 to host httpbin left intact
  2. Check sleep’s log:

    $ kubectl logs -l app=sleep -c istio-proxy
    [2019-03-06T09:31:27.354Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 11 10 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "" outbound|8000||httpbin.default.svc.cluster.local - -
  3. Check httpbin’s log:

    $ kubectl logs -l app=httpbin -c istio-proxy
    [2019-03-06T09:31:27.360Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 5 2 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "" inbound|8000|http|httpbin.default.svc.cluster.local - outbound_.8000_._.httpbin.default.svc.cluster.local

Note that the messages corresponding to the request appear in logs of the Istio proxies of both the source and the destination, sleep and httpbin, respectively. You can see in the log the HTTP verb (GET), the HTTP path (/status/418), the response code (418) and other request-related information.


Shutdown the sleep and httpbin services:

$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete -f @samples/httpbin/httpbin.yaml@

Disable Envoy’s access logging

Edit the istio configuration map and set accessLogFile to "".

$ helm template install/kubernetes/helm/istio --namespace=istio-system -x templates/configmap.yaml | kubectl replace -f -
configmap "istio" replaced