Access Logs

Who Calls Whom?

By default, logs are written to stdout, in text format.

Configuration

To enable the access logs:

File (YAML)

  1. accessLog: {}

File (TOML)

  1. [accessLog]

CLI

  1. --accesslog=true

addInternals

Optional, Default=”false”

Enables access logs for internal resources (e.g.: ping@internal).

File (YAML)

  1. accesslog:
  2. addInternals: true

File (TOML)

  1. [accesslog]
  2. addInternals = true

CLI

  1. --accesslog.addinternals

filePath

By default access logs are written to the standard output. To write the logs into a log file, use the filePath option.

File (YAML)

  1. accessLog:
  2. filePath: "/path/to/access.log"

File (TOML)

  1. [accessLog]
  2. filePath = "/path/to/access.log"

CLI

  1. --accesslog.filepath=/path/to/access.log

format

Optional, Default=”common”

By default, logs are written using the Common Log Format (CLF). To write logs in JSON, use json in the format option. If the given format is unsupported, the default (CLF) is used instead.

Common Log Format

  1. <remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms

File (YAML)

  1. accessLog:
  2. format: "json"

File (TOML)

  1. [accessLog]
  2. format = "json"

CLI

  1. --accesslog.format=json

bufferingSize

To write the logs in an asynchronous fashion, specify a bufferingSize option. This option represents the number of log lines Traefik will keep in memory before writing them to the selected output. In some cases, this option can greatly help performances.

File (YAML)

  1. # Configuring a buffer of 100 lines
  2. accessLog:
  3. filePath: "/path/to/access.log"
  4. bufferingSize: 100

File (TOML)

  1. # Configuring a buffer of 100 lines
  2. [accessLog]
  3. filePath = "/path/to/access.log"
  4. bufferingSize = 100

CLI

  1. # Configuring a buffer of 100 lines
  2. --accesslog.filepath=/path/to/access.log
  3. --accesslog.bufferingsize=100

Filtering

To filter logs, you can specify a set of filters which are logically “OR-connected”. Thus, specifying multiple filters will keep more access logs than specifying only one.

The available filters are:

  • statusCodes, to limit the access logs to requests with a status codes in the specified range
  • retryAttempts, to keep the access logs when at least one retry has happened
  • minDuration, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see time.ParseDuration)

File (YAML)

  1. # Configuring Multiple Filters
  2. accessLog:
  3. filePath: "/path/to/access.log"
  4. format: json
  5. filters:
  6. statusCodes:
  7. - "200"
  8. - "300-302"
  9. retryAttempts: true
  10. minDuration: "10ms"

File (TOML)

  1. # Configuring Multiple Filters
  2. [accessLog]
  3. filePath = "/path/to/access.log"
  4. format = "json"
  5. [accessLog.filters]
  6. statusCodes = ["200", "300-302"]
  7. retryAttempts = true
  8. minDuration = "10ms"

CLI

  1. # Configuring Multiple Filters
  2. --accesslog.filepath=/path/to/access.log
  3. --accesslog.format=json
  4. --accesslog.filters.statuscodes=200,300-302
  5. --accesslog.filters.retryattempts
  6. --accesslog.filters.minduration=10ms

Limiting the Fields/Including Headers

You can decide to limit the logged fields/headers to a given list with the fields.names and fields.headers options.

Each field can be set to:

  • keep to keep the value
  • drop to drop the value

Header fields may also optionally be set to redact to replace the value with “REDACTED”.

The defaultMode for fields.names is keep.

The defaultMode for fields.headers is drop.

File (YAML)

  1. # Limiting the Logs to Specific Fields
  2. accessLog:
  3. filePath: "/path/to/access.log"
  4. format: json
  5. fields:
  6. defaultMode: keep
  7. names:
  8. ClientUsername: drop
  9. headers:
  10. defaultMode: keep
  11. names:
  12. User-Agent: redact
  13. Authorization: drop
  14. Content-Type: keep

File (TOML)

  1. # Limiting the Logs to Specific Fields
  2. [accessLog]
  3. filePath = "/path/to/access.log"
  4. format = "json"
  5. [accessLog.fields]
  6. defaultMode = "keep"
  7. [accessLog.fields.names]
  8. "ClientUsername" = "drop"
  9. [accessLog.fields.headers]
  10. defaultMode = "keep"
  11. [accessLog.fields.headers.names]
  12. "User-Agent" = "redact"
  13. "Authorization" = "drop"
  14. "Content-Type" = "keep"

CLI

  1. # Limiting the Logs to Specific Fields
  2. --accesslog.filepath=/path/to/access.log
  3. --accesslog.format=json
  4. --accesslog.fields.defaultmode=keep
  5. --accesslog.fields.names.ClientUsername=drop
  6. --accesslog.fields.headers.defaultmode=keep
  7. --accesslog.fields.headers.names.User-Agent=redact
  8. --accesslog.fields.headers.names.Authorization=drop
  9. --accesslog.fields.headers.names.Content-Type=keep

Available Fields

FieldDescription
StartUTCThe time at which request processing started.
StartLocalThe local time at which request processing started.
DurationThe total time taken (in nanoseconds) by processing the response, including the origin server’s time but not the log writing time.
RouterNameThe name of the Traefik router.
ServiceNameThe name of the Traefik backend.
ServiceURLThe URL of the Traefik backend.
ServiceAddrThe IP:port of the Traefik backend (extracted from ServiceURL)
ClientAddrThe remote address in its original form (usually IP:port).
ClientHostThe remote IP address from which the client request was received.
ClientPortThe remote TCP port from which the client request was received.
ClientUsernameThe username provided in the URL, if present.
RequestAddrThe HTTP Host header (usually IP:port). This is treated as not a header by the Go API.
RequestHostThe HTTP Host server name (not including port).
RequestPortThe TCP port from the HTTP Host.
RequestMethodThe HTTP method.
RequestPathThe HTTP request URI, not including the scheme, host or port.
RequestProtocolThe version of HTTP requested.
RequestSchemeThe HTTP scheme requested http or https.
RequestLineRequestMethod + RequestPath + RequestProtocol
RequestContentSizeThe number of bytes in the request entity (a.k.a. body) sent by the client.
OriginDurationThe time taken (in nanoseconds) by the origin server (‘upstream’) to return its response.
OriginContentSizeThe content length specified by the origin server, or 0 if unspecified.
OriginStatusThe HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0).
OriginStatusLineOriginStatus + Status code explanation
DownstreamStatusThe HTTP status code returned to the client.
DownstreamStatusLineDownstreamStatus + Status code explanation
DownstreamContentSizeThe number of bytes in the response entity returned to the client. This is in addition to the “Content-Length” header, which may be present in the origin response.
RequestCountThe number of requests received since the Traefik instance started.
GzipRatioThe response body compression ratio achieved.
OverheadThe processing time overhead (in nanoseconds) caused by Traefik.
RetryAttemptsThe amount of attempts the request was retried.
TLSVersionThe TLS version used by the connection (e.g. 1.2) (if connection is TLS).
TLSCipherThe TLS cipher used by the connection (e.g. TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA) (if connection is TLS)
TLSClientSubjectThe string representation of the TLS client certificate’s Subject (e.g. CN=username,O=organization)
TraceIdA consistent identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string
SpanIdA unique identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string.

Log Rotation

Traefik will close and reopen its log files, assuming they’re configured, on receipt of a USR1 signal. This allows the logs to be rotated and processed by an external program, such as logrotate.

Warning

This does not work on Windows due to the lack of USR signals.

Time Zones

Traefik will timestamp each log line in UTC time by default.

It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:

  1. Provide time zone data to /etc/localtime or /usr/share/zoneinfo (based on your distribution) or set the environment variable TZ to the desired timezone
  2. Specify the field StartLocal by dropping the field named StartUTC (available on the default Common Log Format (CLF) as well as JSON)

Example utilizing Docker Compose:

  1. version: "3.7"
  2. services:
  3. traefik:
  4. image: traefik:v3.3
  5. environment:
  6. - TZ=US/Alaska
  7. command:
  8. - --accesslog.fields.names.StartUTC=drop
  9. - --providers.docker
  10. ports:
  11. - 80:80
  12. volumes:
  13. - /var/run/docker.sock:/var/run/docker.sock

OpenTelemetry

Experimental Feature

The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.

File (YAML)

  1. experimental:
  2. otlpLogs: true

File (TOML)

  1. [experimental.otlpLogs]

CLI

  1. --experimental.otlpLogs=true

To enable the OpenTelemetry Logger for access logs:

File (YAML)

  1. accesslog:
  2. otlp: {}

File (TOML)

  1. [accesslog.otlp]

CLI

  1. --accesslog.otlp=true

Default protocol

The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the gRPC Section to use gRPC.

HTTP configuration

Optional

This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http: {}

File (TOML)

  1. [accesslog.otlp.http]

CLI

  1. --accesslog.otlp.http=true

endpoint

Optional, Default=”https://localhost:4318/v1/logs“, Format=”<scheme>://<host>:<port><path>

URL of the OpenTelemetry Collector to send access logs to.

Insecure mode

To disable TLS, use http:// instead of https:// in the endpoint configuration.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. endpoint: https://collector:4318/v1/logs

File (TOML)

  1. [accesslog.otlp.http]
  2. endpoint = "https://collector:4318/v1/logs"

CLI

  1. --accesslog.otlp.http.endpoint=https://collector:4318/v1/logs

headers

Optional, Default={}

Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. headers:
  5. foo: bar
  6. baz: buz

File (TOML)

  1. [accesslog.otlp.http.headers]
  2. foo = "bar"
  3. baz = "buz"

CLI

  1. --accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz

tls

Optional

Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. tls:
  5. ca: path/to/ca.crt

File (TOML)

  1. [accesslog.otlp.http.tls]
  2. ca = "path/to/ca.crt"

CLI

  1. --accesslog.otlp.http.tls.ca=path/to/ca.crt
cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. tls:
  5. cert: path/to/foo.cert
  6. key: path/to/foo.key

File (TOML)

  1. [accesslog.otlp.http.tls]
  2. cert = "path/to/foo.cert"
  3. key = "path/to/foo.key"

CLI

  1. --accesslog.otlp.http.tls.cert=path/to/foo.cert
  2. --accesslog.otlp.http.tls.key=path/to/foo.key
key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. tls:
  5. cert: path/to/foo.cert
  6. key: path/to/foo.key

File (TOML)

  1. [accesslog.otlp.http.tls]
  2. cert = "path/to/foo.cert"
  3. key = "path/to/foo.key"

CLI

  1. --accesslog.otlp.http.tls.cert=path/to/foo.cert
  2. --accesslog.otlp.http.tls.key=path/to/foo.key
insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

File (YAML)

  1. accesslog:
  2. otlp:
  3. http:
  4. tls:
  5. insecureSkipVerify: true

File (TOML)

  1. [accesslog.otlp.http.tls]
  2. insecureSkipVerify = true

CLI

  1. --accesslog.otlp.http.tls.insecureSkipVerify=true

gRPC configuration

Optional

This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc: {}

File (TOML)

  1. [accesslog.otlp.grpc]

CLI

  1. --accesslog.otlp.grpc=true

endpoint

Required, Default=”localhost:4317”, Format=”<host>:<port>

Address of the OpenTelemetry Collector to send access logs to.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. endpoint: localhost:4317

File (TOML)

  1. [accesslog.otlp.grpc]
  2. endpoint = "localhost:4317"

CLI

  1. --accesslog.otlp.grpc.endpoint=localhost:4317

insecure

Optional, Default=false

Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. insecure: true

File (TOML)

  1. [accesslog.otlp.grpc]
  2. insecure = true

CLI

  1. --accesslog.otlp.grpc.insecure=true

headers

Optional, Default={}

Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. headers:
  5. foo: bar
  6. baz: buz

File (TOML)

  1. [accesslog.otlp.grpc.headers]
  2. foo = "bar"
  3. baz = "buz"

CLI

  1. --accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz

tls

Optional

Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.

ca

Optional

ca is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector, it defaults to the system bundle.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. tls:
  5. ca: path/to/ca.crt

File (TOML)

  1. [accesslog.otlp.grpc.tls]
  2. ca = "path/to/ca.crt"

CLI

  1. --accesslog.otlp.grpc.tls.ca=path/to/ca.crt
cert

Optional

cert is the path to the public certificate used for the secure connection to the OpenTelemetry Collector. When using this option, setting the key option is required.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. tls:
  5. cert: path/to/foo.cert
  6. key: path/to/foo.key

File (TOML)

  1. [accesslog.otlp.grpc.tls]
  2. cert = "path/to/foo.cert"
  3. key = "path/to/foo.key"

CLI

  1. --accesslog.otlp.grpc.tls.cert=path/to/foo.cert
  2. --accesslog.otlp.grpc.tls.key=path/to/foo.key
key

Optional

key is the path to the private key used for the secure connection to the OpenTelemetry Collector. When using this option, setting the cert option is required.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. tls:
  5. cert: path/to/foo.cert
  6. key: path/to/foo.key

File (TOML)

  1. [accesslog.otlp.grpc.tls]
  2. cert = "path/to/foo.cert"
  3. key = "path/to/foo.key"

CLI

  1. --accesslog.otlp.grpc.tls.cert=path/to/foo.cert
  2. --accesslog.otlp.grpc.tls.key=path/to/foo.key
insecureSkipVerify

Optional, Default=false

If insecureSkipVerify is true, the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.

File (YAML)

  1. accesslog:
  2. otlp:
  3. grpc:
  4. tls:
  5. insecureSkipVerify: true

File (TOML)

  1. [accesslog.otlp.grpc.tls]
  2. insecureSkipVerify = true

CLI

  1. --accesslog.otlp.grpc.tls.insecureSkipVerify=true

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There’s no rip and replace and all configurations remain intact. See it in action via this short video.