Configuring Istio Access Logs

Use the Telemetry API to selectively enable the Istio access logs and filter them if needed.

Prerequisites

• You have the Istio module added.
• To use CLI instruction, you must install kubectl and curl. Alternatively, you can use Kyma dashboard.

Context

You can enable Istio access logs to provide fine-grained details about the access to workloads that are part of the Istio service mesh. This can help indicate the four “golden signals” of monitoring (latency, traffic, errors, and saturation) and troubleshooting anomalies. The Istio setup shipped with the Istio module provides a pre-configured extension provider for access logs, which configures the Istio proxies to print access logs to stdout using the JSON format. It uses a configuration similar to the following one:

extensionProviders:
  - name: stdout-json
    envoyFileAccessLog:
      path: "/dev/stdout"
      logFormat:
        labels:
          ...
          traceparent: "%REQ(TRACEPARENT)%"
          tracestate: "%REQ(TRACESTATE)%"

The log format is based on the Istio default format enhanced with the attributes relevant for identifying the related trace context conform to the w3c-tracecontext protocol. See Kyma tracing for more details on tracing. See Istio tracing on how to enable trace context propagation with Istio.

WARNING

Enabling access logs may drastically increase logs volume and might quickly fill up your log storage.

Configuration

Use the Telemetry API to selectively enable Istio access logs. See:

• Configure Istio Access Logs for a Namespace
• Configure Istio Access Logs for a Selective Workload
• Configure Istio Access Logs for a Specific Gateway
• Configure Istio Access Logs for the Entire Mesh

To filter the enabled access logs, you can edit the Telemetry API by adding a filter expression. See Filter Access logs.

Configure Istio Access Logs for a Namespace

Configure Istio Access Logs for a Selective Workload

To configure label-based selection of workloads, use a selector.

Configure Istio Access Logs for a Selective Gateway

Instead of enabling the access logs for all the individual proxies of the workloads you have, you can enable the logs for the proxy used by the related Istio Ingress Gateway.

Configure Istio Access Logs for the Entire Mesh

Enable access logs for all individual proxies of the workloads and Istio Ingress Gateways.

Filter Access Logs

Often, access logs emitted by Envoy do not contain data relevant to your observations, especially when the traffic is not based on an HTTP-based protocol. In such a situation, you can directly configure the Istio Envoys to filter out logs using a filter expression. To filter access logs, you can leverage the same Istio Telemetry API that you used to enable them. To formulate which logs to keep, define a filter expression leveraging the typical Envoy attributes.

For example, to filter out all logs having no protocol defined (which is the case if they are not HTTP-based), you can use a configuration similar to this example:

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
 name: access-config
 namespace: istio-system
spec:
 accessLogging:
 - filter:
     expression: 'has(request.protocol)'
   providers:
   - name: stdout-json