Getting Envoy's Access Logs
The simplest kind of Istio logging is
Envoy’s access logging.
Envoy proxies print access information to their standard output.
The standard output of Envoy’s containers can then be printed by the kubectl logs
command.
Before you begin
Setup Istio by following the instructions in the Installation guide.
Deploy the sleep sample app to use as a test source for sending requests. If you have automatic sidecar injection enabled, run the following command to deploy the sample app:
$ kubectl apply -f @samples/sleep/sleep.yaml@
Otherwise, manually inject the sidecar before deploying the
sleep
application with the following command:$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
Set the
SOURCE_POD
environment variable to the name of your source pod:$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
Start the httpbin sample.
If you have enabled automatic sidecar injection, deploy the
httpbin
service:$ kubectl apply -f @samples/httpbin/httpbin.yaml@
Otherwise, you have to manually inject the sidecar before deploying the
httpbin
application:$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@)
Enable Envoy’s access logging
Edit the istio
configuration map:
$ istioctl install --set profile=demo --set meshConfig.accessLogFile="/dev/stdout"
✔ Istio core installed
✔ Istiod installed
✔ Addons installed
✔ Ingress gateways installed
✔ Egress gateways installed
✔ Installation complete
You can also choose between JSON and text by setting accessLogEncoding
to JSON
or TEXT
.
You may also want to customize the
format of the access log by editing accessLogFormat
.
meshConfig.accessLogFile
meshConfig.accessLogEncoding
meshConfig.accessLogFormat
Test the access log
Send a request from
sleep
tohttpbin
:$ kubectl exec -it $(kubectl get pod -l app=sleep -o jsonpath='{.items[0].metadata.name}') -c sleep -- curl -v httpbin:8000/status/418 * Trying 172.21.13.94... * TCP_NODELAY set * Connected to httpbin (172.21.13.94) port 8000 (#0) > GET /status/418 HTTP/1.1 ... < HTTP/1.1 418 Unknown < server: envoy ... -=[ teapot ]=- _...._ .' _ _ `. | ."` ^ `". _, \_;`"---"`|// | ;/ \_ _/ `"""` * Connection #0 to host httpbin left intact
Check
sleep
’s log:$ kubectl logs -l app=sleep -c istio-proxy [2019-03-06T09:31:27.354Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 11 10 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "172.30.146.73:80" outbound|8000||httpbin.default.svc.cluster.local - 172.21.13.94:8000 172.30.146.82:60290 -
Check
httpbin
’s log:$ kubectl logs -l app=httpbin -c istio-proxy [2019-03-06T09:31:27.360Z] "GET /status/418 HTTP/1.1" 418 - "-" 0 135 5 2 "-" "curl/7.60.0" "d209e46f-9ed5-9b61-bbdd-43e22662702a" "httpbin:8000" "127.0.0.1:80" inbound|8000|http|httpbin.default.svc.cluster.local - 172.30.146.73:80 172.30.146.82:38618 outbound_.8000_._.httpbin.default.svc.cluster.local
Note that the messages corresponding to the request appear in logs of the Istio proxies of both the source and the destination, sleep
and httpbin
, respectively. You can see in the log the HTTP verb (GET
), the HTTP path (/status/418
), the response code (418
) and other request-related information.
Cleanup
Shutdown the sleep and httpbin services:
$ kubectl delete -f @samples/sleep/sleep.yaml@
$ kubectl delete -f @samples/httpbin/httpbin.yaml@
Disable Envoy’s access logging
Edit the istio
configuration map and set accessLogFile
to ""
.
$ istioctl install --set profile=demo
✔ Istio core installed
✔ Istiod installed
✔ Egress gateways installed
✔ Ingress gateways installed
✔ Addons installed
✔ Installation complete