Access logging
The HTTP connection manager, the tcp proxy and the thrift proxy support extensible access logging with the following features:
Any number of access logs per a connection stream.
Customizable access log filters that allow different types of requests and responses to be written to different access logs.
Downstream connection access logging can be enabled using listener access logs. The listener access logs complement HTTP request access logging and can be enabled separately and independently from filter access logs.
If access log is enabled, then by default it will be reported to the configured sinks at the end of a TCP connection, or HTTP stream. It is possible to extend this behavior and report access logs periodically or at the start of a TCP connection or HTTP stream. Reporting access logs right after upstream connection establishment or new incoming HTTP request does not depend on periodic reporting, and the other way around.
Start of session access logs
TCP Proxy
For TCP Proxy, it is possible to enable an access log record once after a successful upstream connection by using flush access log on connected
HTTP Connection Manager
For HTTP Connection Manager, it is possible to enable an access log once when a new HTTP request is received, and before iterating the filter chain by using flush access log on new request Note: Some information such as upstream host will not be available yet.
HTTP Router Filter
For Router Filter, is is possible to enable an upstream access log when a new upstream stream is associated with the downstream stream, and after successfully establishing a connection with the upstream by using flush upstream log on upstream stream Note: In case that the HTTP request involves retries, a start of request upstream access log will be recorded for each retry.
Periodic access logs
TCP Proxy
For TCP Proxy, it is possible to enable a prediodic access log by using access log flush interval Note: The first access log entry is generated one interval after a new connection is received by the TCP Proxy whether or not an upstream connection has been made.
HTTP Connection Manager
For HTTP Connection Manager, it is possible to enable a prediodic access log by using access log flush interval Note: The first access log entry is generated one interval after a new HTTP request is received by the HTTP Connection Manager and before iterating the HTTP filter chain, whether or not an upstream connection has been made.
HTTP Router Filter
For Router Filter, it is possible to enable a prediodic access log by using upstream log flush interval Note: The first access log entry is generated one interval after a new HTTP request is received by the router filter, whether or not an upstream connection has been made.
Access log filters
Envoy supports several built-in access log filters and extension filters that are registered at runtime.
Access logging sinks
Envoy supports pluggable access logging sinks. The currently supported sinks are:
File
Asynchronous IO flushing architecture. Access logging will never block the main network processing threads.
Customizable access log formats using predefined fields as well as arbitrary HTTP request and response headers.
gRPC
Envoy can send access log messages to a gRPC access logging service.
Stdout
Asynchronous IO flushing architecture. Access logging will never block the main network processing threads.
Customizable access log formats using predefined fields as well as arbitrary HTTP request and response headers.
Writes to the standard output of the process. It works in all platforms.
Stderr
Asynchronous IO flushing architecture. Access logging will never block the main network processing threads.
Customizable access log formats using predefined fields as well as arbitrary HTTP request and response headers.
Writes to the standard error of the process. It works in all platforms.
Further reading
Access log configuration.
File access log sink.
gRPC Access Log Service (ALS) sink.
OpenTelemetry (gRPC) LogsService
Stdout access log sink
Stderr access log sink