View logs

Access logs are generated by both ztunnel and waypoint proxies. You can query them to diagnose problems with your cluster, or you can send them to an observability tool.

ztunnel logs

ztunnel’s traffic logs can be queried using the standard Kubernetes log facilities. You can query a single ztunnel pod, or aggregate the view of all your ztunnels using a label query:

$ kubectl -n istio-system logs -l app=ztunnel | grep -E "inbound|outbound"
2024-11-04T09:43:28.232145Z	info	access	connection complete	src.addr=10.244.1.44:34406 src.workload="productpage-v1-c5b7f7dbc-bd876" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" dst.addr=10.244.1.36:15008 dst.hbone_addr=10.96.66.64:9080 dst.service="details.default.svc.cluster.local" dst.workload="waypoint-7d995c5747-cbmqd" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/waypoint" direction="outbound" bytes_sent=192 bytes_recv=413 duration="5ms"
2024-11-04T09:43:28.236147Z	info	access	connection complete	src.addr=10.244.1.44:53574 src.workload="productpage-v1-c5b7f7dbc-bd876" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" dst.addr=10.244.1.36:15008 dst.hbone_addr=10.96.47.117:9080 dst.service="reviews.default.svc.cluster.local" dst.workload="waypoint-7d995c5747-cbmqd" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/waypoint" direction="outbound" bytes_sent=192 bytes_recv=648 duration="2ms"
2024-11-04T09:43:28.237370Z	info	access	connection complete	src.addr=10.244.1.35:52196 src.workload="bookinfo-gateway-istio-574fdf9755-59kqb" src.namespace="default" src.identity="spiffe://cluster.local/ns/default/sa/bookinfo-gateway-istio" dst.addr=10.244.1.44:15008 dst.hbone_addr=10.244.1.44:9080 dst.service="productpage-v1.default.svc.cluster.local" dst.workload="productpage-v1-c5b7f7dbc-bd876" dst.namespace="default" dst.identity="spiffe://cluster.local/ns/default/sa/bookinfo-productpage" direction="inbound" bytes_sent=9618 bytes_recv=959 duration="14ms"

In this example, we see a single call to the productpage service, through the bookinfo-gateway as configured in the Quickstart guide. That service goes on to make calls to details and reviews, both of which are sent through a waypoint proxy.

Access logs are emitted upon completion of each connection. Logs for connect establishment are also logged (with less information) at debug level. Learn how to set the log level of a ztunnel proxy.

Gateway and waypoint logs

Gateway and waypoint access logs are off by default. They can be enabled using Istio’s Telemetry API.

To enable access logging for gateways and waypoints in a namespace, create a Telemetry object in that namespace:

apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: enable-access-logging
  namespace: default
spec:
  accessLogging:
    - providers:
      - name: envoy

To enable for the entire mesh, use istio-system as the namespace.

You can apply filters so Envoy only logs requests that match a certain pattern.

Logs matching the above requests can be seen in the waypoint:

[2024-11-04T09:43:28.229Z] "GET /details/0 HTTP/1.1" 200 - via_upstream - "-" 0 178 1 1 "-" "curl/8.6.0" "a53ab794-1ea1-472c-b5e8-9cb4cf179091" "details:9080" "envoy://connect_originate/10.244.1.40:9080" inbound-vip|9080|http|details.default.svc.cluster.local envoy://internal_client_address/ 10.96.66.64:9080 10.244.1.44:60134 - default
[2024-11-04T09:43:28.233Z] "GET /reviews/0 HTTP/1.1" 200 - via_upstream - "-" 0 358 1 1 "-" "curl/8.6.0" "a53ab794-1ea1-472c-b5e8-9cb4cf179091" "reviews:9080" "envoy://connect_originate/10.244.1.45:9080" inbound-vip|9080|http|reviews-v1.default.svc.cluster.local envoy://internal_client_address/ 10.96.47.117:9080 10.244.1.44:60134 - default.reviews.0

Learn how to parse the Envoy access log format.