# Traffic Log

With the TrafficLog policy you can configure access logging on every Envoy data-plane belonging to the Mesh. These logs can then be collected by any agent to be inserted into systems like Splunk, ELK and Datadog. The first step is to configure backends for the Mesh. A backend can be either a file or a TCP service (like Logstash). Second step is to create a TrafficLog entity to select connections to log.

On Universal:

type: Mesh
name: default
mtls:
  ca:
    builtin: {}
  enabled: true
logging:
  defaultBackend: file
  backends:
    - name: logstash
      format: |
        {
            "destination": "%UPSTREAM_CLUSTER%",
            "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
            "source": "%KUMA_DOWNSTREAM_CLUSTER%",
            "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
            "bytesReceived": "%BYTES_RECEIVED%",
            "bytesSent": "%BYTES_SENT%"
        }
      tcp:
        address: 127.0.0.1:5000
    - name: file
      file:
        path: /tmp/access.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
type: TrafficLog
name: all-traffic
mesh: default
sources:
  - match:
      service: '*'
destinations:
  - match:
      service: '*'
# if omitted, the default logging backend of that mesh will be used
1
2
3
4
5
6
7
8
9
10
type: TrafficLog
name: backend-to-database-traffic
mesh: default
sources:
  - match:
      service: backend
destinations:
  - match:
      service: database
conf:
  backend: logstash
1
2
3
4
5
6
7
8
9
10
11

On Kubernetes:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  name: default
spec:
  mtls:
    ca:
      builtin: {}
    enabled: true
  logging:
    defaultBackend: file
    backends:
      - name: logstash
        format: |
          {
              "destination": "%UPSTREAM_CLUSTER%",
              "destinationAddress": "%UPSTREAM_LOCAL_ADDRESS%",
              "source": "%KUMA_DOWNSTREAM_CLUSTER%",
              "sourceAddress": "%DOWNSTREAM_REMOTE_ADDRESS%",
              "bytesReceived": "%BYTES_RECEIVED%",
              "bytesSent": "%BYTES_SENT%"
          }
        tcp:
          address: 127.0.0.1:5000
      - name: file
        file:
          path: /tmp/access.log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
apiVersion: kuma.io/v1alpha1
kind: TrafficLog
metadata:
  namespace: kuma-system
  name: all-traffic
spec:
  sources:
    - match:
        service: '*'
  destinations:
    - match:
        service: '*'
  # if omitted, the default logging backend of that mesh will be used
1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: kuma.io/v1alpha1
kind: TrafficLog
metadata:
  namespace: kuma-system
  name: backend-to-database-traffic
spec:
  sources:
    - match:
        service: backend
  destinations:
    - match:
        service: database
  conf:
    backend: logstash
1
2
3
4
5
6
7
8
9
10
11
12
13
14

If a backend in TrafficLog is not explicitly specified, the defaultBackend from Mesh will be used.

In the format field, you can use standard Envoy placeholders for TCP as well as a few additional placeholders:

  • %KUMA_SOURCE_ADDRESS% - source address of the Dataplane
  • %KUMA_SOURCE_SERVICE% - source service from which traffic is sent
  • %KUMA_DESTINATION_SERVICE% - destination service to which traffic is sent