# Traffic Log

With the TrafficLog policy you can configure access logging on every Envoy data-plane belonging to the Mesh. These logs can then be collected by any agent to be inserted into systems like Splunk, ELK and Datadog. The first step is to configure backends for the Mesh. A backend can be either a file or a TCP service (like Logstash). Second step is to create a TrafficLog entity to select connections to log.

On Universal:

name: default
type: Mesh
mtls:
  ca:
    builtin: {}
  enabled: true
logging:
  defaultBackend: file
  backends:
    - name: logstash
      format: |
        {
            "destination": "%UPSTREAM_CLUSTER%",
            "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
            "source": "%KUMA_DOWNSTREAM_CLUSTER%",
            "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
            "bytesReceived": "%BYTES_RECEIVED%",
            "bytesSent": "%BYTES_SENT%"
        }
      tcp:
        address: 127.0.0.1:5000
    - name: file
      file:
        path: /tmp/access.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
name: log-rule
mesh: default
type: TrafficLog
rules:
  - sources:
    - match:
        service: backend
    destinations:
    - match:
        service: database
    conf:
      backend: logstash
  - sources:
    - match:
        service: '*'
    destinations:
    - match:
        service: '*'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

On Kubernetes:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  namespace: kuma-system
  name: default
spec:
  mtls:
    ca:
      builtin: {}
    enabled: true
  logging:
    defaultBackend: file
    backends:
      - name: logstash
        format: |
          {
              "destination": "%UPSTREAM_CLUSTER%",
              "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
              "source": "%KUMA_DOWNSTREAM_CLUSTER%",
              "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
              "bytesReceived": "%BYTES_RECEIVED%",
              "bytesSent": "%BYTES_SENT%"
          }
        tcp:
          address: 127.0.0.1:5000
      - name: file
        file:
          path: /tmp/access.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
apiVersion: kuma.io/v1alpha1
kind: TrafficLog
metadata:
  namespace: kuma-system
  name: log-rule
spec:
  rules:
    - sources:
      - match:
          service: backend
      destinations:
      - match:
          service: database
      conf:
        backend: logstash
    - sources:
      - match:
          service: '*'
      destinations:
      - match:
          service: '*'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

If a backend in TrafficLog is not explicitly specified, the defaultBackend from Mesh will be used.

In the format field, you can use standard Envoy placeholders for TCP as well as a few additional placeholders:

  • %KUMA_SOURCE_ADDRESS% - source address of the Dataplane
  • %KUMA_SOURCE_SERVICE% - source service from which traffic is sent
  • %KUMA_DESTINATION_SERVICE% - destination service to which traffic is sent
Last Updated: 2/27/2020, 7:22:31 PM