Collecting Cloud Service Mesh logs
The following sections explains how to gather the various Cloud Service Mesh logs fortroubleshooting issues or contactingGoogle Support.
Collect logs using the bug report tool
Cloud Service Mesh provides an automated bug report tool that collects the relevantdiagnostic logs and lets you attach the logs to a Google Support ticket.
Before you begin, ensure the kubeconfig context for your cluster is available inyour kubeconfig file.
Start the log collection
Managed control plane
Run the bug-report tool to collect logs:
gcloudbetacontainerfleetmeshdebugbug-report\--membership=MEMBERSHIP_NAME\--location=MEMBERSHIP_LOCATION\--project=PROJECT_NAMEReplace the following:
MEMBERSHIP_NAME: the name of your membership.MEMBERSHIP_LOCATION: the region for yourmembership.PROJECT_NAME: the project name.
In-cluster control plane
Run the bug-report tool to collect logs:
istioctl bug-report
Upload your debug archive
The tool creates an archive of your mesh's logs and configuration in the workingdirectory. You can unpack the archive and use the troubleshooting guides toattempt to perform troubleshooting yourself. However, if you have a supportpackage, you can contactGoogle Cloud Support, who will provideyou with further steps to securely upload your log archive.
Important: Archive logs might contain personally identifiable information (PII)or private information about your security certificates. Check your local lawsand your organization's policies and procedures regarding how to handle or sendsuch sensitive information externally.Manually collect Cloud Service Mesh logs
Instead of using the Cloud Service Mesh bug report tool, this section explains how tomanually collect all the relevant logs.
Envoy access logs
Envoy proxy access logs contain detailed information that is useful fortroubleshooting. However, you must enable them and set the correct detail level.
For details about how to interpret the log contents, seeInterpret Envoy logs.
Enable or disable Envoy logs
To enable the Envoy proxy access logs, configure anoverlay filefor in-cluster Cloud Service Mesh or aConfigMapfor managed Cloud Service Mesh.
Increase logging detail
To temporarily increase the detail level of the logs, use the following command.This setting is undone when the pod is recreated.
kubectl -nNAMESPACE debug --image istio/base --target istio-proxy -itPOD_NAME -- curl -X POST http://localhost:15000/logging?level=debug
To set the detail level of the logs back to default, use the following command:
kubectl -nNAMESPACE debug --image istio/base --target istio-proxy -itPOD_NAME -- curl -X POST http://localhost:15000/logging?level=info
Write Envoy logs to a folder
To collect the Envoy proxy access logs and store them in a folder, use thefollowing command:
kubectl logs -l app=APPLICATION_NAME -c istio-proxy > /FILE_PATH
SeeGetting Envoy's Access Logs for more information.
Kubernetes logs
Kubernetes generates several logs that contain information about the behavior ofIstio components, such asistiod, Ingress Gateway, and proxies. You can reviewthese logs for errors, which might narrow the scope of possible causes of a problem.
(In-cluster control plane only) Captureistiod logs using the following command:
kubectl -n istio-system logs $(kubectl -n istio-system get pods -lapp=istiod -oname) > ./LOGS_FOLDER/istiod.log
(In-cluster control plane only) Capture Istio Ingress Gateway logs using the following command:
kubectl -n istio-system logs $(kubectl -n istio-system get pods -lapp=istio-ingressgateway -oname) > /FILE_PATH
Capture Istio Proxy logs using the following command:
kubectl -nWORKLOAD_NAMESPACE logsPOD_NAME -c istio-proxy > ./LOGS_FOLDER/proxy.log
Kubernetes configuration dump
This information allows users without direct access to the cluster to view the state of various resources and identify possible configuration problems. The following command writes the Kubernetes configuration to a YAML file:
for ns in `kubectl get namespaces -o=jsonpath='{.items[*].metadata.name}'` ; do echo "===NAMESPACE===" $ns >> ./LOGS_FOLDER/kubernetes.yaml ;kubectl get -oyaml -n $ns deploy,statefulset,job,ingress,endpoints,configmap,event,secret,service,istio-io >> ./LOGS_FOLDER/kubernetes.yaml; doneEnvoy core dump
Envoy core dumps are not typically useful to end users, however Google Supportmight request that you collect it as part of the troubleshooting process, usingthe following steps.
Important: Core dumps might contain personally identifiable information (PII) orprivate information about your security certificates. Check your local laws andyour organization's policies and procedures regarding how to handle or send suchsensitive information externally.Warning: Configuring an Envoy core dump is a node-wide setting. This featureshould only be enabled to debug and then turned off when you are done debugging.Envoy core dumps should not be left on long-term.To configure the kernel to write Envoy core dumps to a writable directory:
Add the
sidecar.istio.io/enableCoreDump=truelabel to a pod.Restart the pod to enable Envoy core dumps.
Copy the core dump out of the pod.
Configure Envoy proxy
The detailed Envoy proxy configuration contains additional detail that might behelpful for troubleshooting purposes. You can collect this information using thefollowing command. In this example,ENDPOINT is one of the following(shown in order of importance):
- /certs
- /clusters
- /listeners
- /config_dump
- /memory
- /server_info
- /stats/prometheus
- /runtime
kubectl debug --image istio/base --target istio-proxy -itqPOD_NAME -nNAMESPACE -- curl 127.0.0.1:15000/ENDPOINT > out.log
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.