View logs
Access logs are generated by both ztunnel and waypoint proxies. You can query them to diagnose problems with your cluster, or you can send them to an observability tool.
ztunnel logs
ztunnel’s traffic logs can be queried using the standard Kubernetes log facilities. You can query a single ztunnel pod, or aggregate the view of all your ztunnels using a label query:
$ kubectl -n istio-system logs -l app=ztunnel | grep -E "inbound|outbound"
2024-11-04T09:43:28.232145Z info access connection complete src.addr=10.244.1.44:34406 src.workload="productpage-v1-c5b7f7dbc-bd876" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" dst.addr=10.244.1.36:15008 dst.hbone_addr=10.96.66.64:9080 dst.service="details.default.svc.cluster.local" dst.workload="waypoint-7d995c5747-cbmqd" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/waypoint" direction="outbound" bytes_sent=192 bytes_recv=413 duration="5ms"
2024-11-04T09:43:28.236147Z info access connection complete src.addr=10.244.1.44:53574 src.workload="productpage-v1-c5b7f7dbc-bd876" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" dst.addr=10.244.1.36:15008 dst.hbone_addr=10.96.47.117:9080 dst.service="reviews.default.svc.cluster.local" dst.workload="waypoint-7d995c5747-cbmqd" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/waypoint" direction="outbound" bytes_sent=192 bytes_recv=648 duration="2ms"
2024-11-04T09:43:28.237370Z info access connection complete src.addr=10.244.1.35:52196 src.workload="bookinfo-gateway-istio-574fdf9755-59kqb" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-gateway-istio" dst.addr=10.244.1.44:15008 dst.hbone_addr=10.244.1.44:9080 dst.service="productpage-v1.default.svc.cluster.local" dst.workload="productpage-v1-c5b7f7dbc-bd876" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" direction="inbound" bytes_sent=9618 bytes_recv=959 duration="14ms"
In this example, we see a single call to the productpage
service, through the bookinfo-gateway
as configured in the Quickstart guide. That service goes on to make calls to details
and reviews
, both of which are sent through a waypoint proxy.
Access logs are emitted upon completion of each connection. Logs for connect establishment are also logged (with less information) at debug
level. Learn how to set the log level of a ztunnel proxy.
Gateway and waypoint logs
Gateway and waypoint access logs are off by default. They can be enabled using Istio’s Telemetry API.
To enable access logging for gateways and waypoints in a namespace, create a Telemetry object in that namespace:
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
name: enable-access-logging
namespace: default
spec:
accessLogging:
- providers:
- name: envoy
To enable for the entire mesh, use istio-system
as the namespace.
You can apply filters so Envoy only logs requests that match a certain pattern.
Logs matching the above requests can be seen in the waypoint:
[2024-11-04T09:43:28.229Z] "GET /details/0 HTTP/1.1" 200 - via_upstream - "-" 0 178 1 1 "-" "curl/8.6.0" "a53ab794-1ea1-472c-b5e8-9cb4cf179091" "details:9080" "envoy://connect_originate/10.244.1.40:9080" inbound-vip|9080|http|details.default.svc.cluster.local envoy://internal_client_address/ 10.96.66.64:9080 10.244.1.44:60134 - default
[2024-11-04T09:43:28.233Z] "GET /reviews/0 HTTP/1.1" 200 - via_upstream - "-" 0 358 1 1 "-" "curl/8.6.0" "a53ab794-1ea1-472c-b5e8-9cb4cf179091" "reviews:9080" "envoy://connect_originate/10.244.1.45:9080" inbound-vip|9080|http|reviews-v1.default.svc.cluster.local envoy://internal_client_address/ 10.96.47.117:9080 10.244.1.44:60134 - default.reviews.0