Traffic Log

With the TrafficLog policy you can configure access logging on every Envoy data-plane belonging to the Mesh. These logs can then be collected by any agent to be inserted into systems like Splunk, ELK and Datadog. The first step is to configure backends for the Mesh. A backend can be either a file or a TCP service (like Logstash). Second step is to create a TrafficLog entity to select connections to log.

On Universal:

  1. name: default
  2. type: Mesh
  3. mtls:
  4.   ca:
  5.     builtin: {}
  6.   enabled: true
  7. logging:
  8.   defaultBackend: file
  9.   backends:
  10.     - name: logstash
  11.       format: |
  12.         {
  13.             "destination": "%UPSTREAM_CLUSTER%",
  14.             "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
  15.             "source": "%KUMA_DOWNSTREAM_CLUSTER%",
  16.             "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
  17.             "bytesReceived": "%BYTES_RECEIVED%",
  18.             "bytesSent": "%BYTES_SENT%"
  19.         }
  20.       tcp:
  21.         address: 127.0.0.1:5000
  22.     - name: file
  23.       file:
  24.         path: /tmp/access.log
  1. name: log-rule
  2. mesh: default
  3. type: TrafficLog
  4. rules:
  5.   - sources:
  6.     - match:
  7.         service: backend
  8.     destinations:
  9.     - match:
  10.         service: database
  11.     conf:
  12.       backend: logstash
  13.   - sources:
  14.     - match:
  15.         service: '*'
  16.     destinations:
  17.     - match:
  18.         service: '*'

On Kubernetes:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4.   namespace: kuma-system
  5.   name: default
  6. spec:
  7.   mtls:
  8.     ca:
  9.       builtin: {}
  10.     enabled: true
  11.   logging:
  12.     defaultBackend: file
  13.     backends:
  14.       - name: logstash
  15.         format: |
  16.           {
  17.               "destination": "%UPSTREAM_CLUSTER%",
  18.               "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
  19.               "source": "%KUMA_DOWNSTREAM_CLUSTER%",
  20.               "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
  21.               "bytesReceived": "%BYTES_RECEIVED%",
  22.               "bytesSent": "%BYTES_SENT%"
  23.           }
  24.         tcp:
  25.           address: 127.0.0.1:5000
  26.       - name: file
  27.         file:
  28.           path: /tmp/access.log
  1. apiVersion: kuma.io/v1alpha1
  2. kind: TrafficLog
  3. metadata:
  4.   namespace: kuma-system
  5.   name: log-rule
  6. spec:
  7.   rules:
  8.     - sources:
  9.       - match:
  10.           service: backend
  11.       destinations:
  12.       - match:
  13.           service: database
  14.       conf:
  15.         backend: logstash
  16.     - sources:
  17.       - match:
  18.           service: '*'
  19.       destinations:
  20.       - match:
  21.           service: '*'

If a backend in TrafficLog is not explicitly specified, the defaultBackend from Mesh will be used.

In the format field, you can use standard Envoy placeholdersTraffic Log - 图1 for TCP as well as a few additional placeholders:

  • %KUMA_SOURCE_ADDRESS% - source address of the Dataplane
  • %KUMA_SOURCE_SERVICE% - source service from which traffic is sent
  • %KUMA_DESTINATION_SERVICE% - destination service to which traffic is sent