Request proxy logs

Cloud Service Mesh supports two different types of access logs inCloud Logging:Traffic logs (alsoknown as Google Cloud Observability access logs) andEnvoy access logs. This page shows you how toenable, disable, view, and interpret these logs. Note that traffic logs areenabled by default.

Enabling and disabling access logs

cat<<EOF|kubectlapply-nistio-system-f-apiVersion:telemetry.istio.io/v1alpha1kind:Telemetrymetadata:name:enable-envoy-disable-sdnamespace:istio-systemspec:accessLogging:-providers:-name:envoy-providers:-name:stackdriverdisabled:trueEOF

cat<<EOF|kubectlapply-nistio-system-f-apiVersion:telemetry.istio.io/v1alpha1kind:Telemetrymetadata:name:disable-envoy-enable-sdnamespace:istio-systemspec:accessLogging:-providers:-name:envoydisabled:true-providers:-name:stackdriverEOF

---apiVersion:install.istio.io/v1alpha1kind:IstioOperatorspec:meshConfig:accessLogFile:"/dev/stdout"

Viewing access logs

kubectllogsPOD_NAME-nNAMESPACE_NAME-cistio-proxy

resource.type="k8s_container"\resource.labels.container_name="istio-proxy"resource.labels.cluster_name="CLUSTER_NAME"\resource.labels.namespace_name="NAMESPACE_NAME"\resource.labels.pod_name="POD_NAME"

{  insertId: "1awb4hug5pos2qi"  httpRequest: {    requestMethod: "GET"    requestUrl: "YOUR-INGRESS/productpage"    requestSize: "952"    status: 200    responseSize: "5875"    remoteIp: "10.8.0.44:0"    serverIp: "10.56.4.25:9080"    latency: "1.587232023s"    protocol: "http"  }  resource: {    type: "k8s_container"    labels: {      location: "us-central1-a"      project_id: "YOUR-PROJECT"      pod_name: "productpage-v1-76589d9fdc-ptnt9"      cluster_name: "YOUR-CLUSTER-NAME"      container_name: "productpage"      namespace_name: "default"    }  }  timestamp: "2020-04-28T19:55:21.056759Z"  severity: "INFO"  labels: {    destination_principal: "spiffe://cluster.local/ns/default/sa/bookinfo-productpage"    response_flag: "-"    destination_service_host: "productpage.default.svc.cluster.local"    source_app: "istio-ingressgateway"    service_authentication_policy: "MUTUAL_TLS"    source_name: "istio-ingressgateway-5ff85d8dd8-mwplb"    mesh_uid: "YOUR-MESH-UID"    request_id: "021ce752-9001-4ac6-b6d6-3b15f5d3632"    destination_namespace: "default"    source_principal:  "spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"    destination_workload: "productpage-v1"    destination_version: "v1"    source_namespace: "istio-system"    source_workload: "istio-ingressgateway"    destination_name: "productpage-v1-76589d9fdc-ptnt9"    destination_app: "productpage"  }  trace: "projects/YOUR-PROJECT/traces/d4197f59b7a43e3aeff3571bac99d536"  receiveTimestamp: "2020-04-29T03:07:14.362416217Z"  spanId: "43226343ca2bb2b1"  traceSampled: true  logName: "projects/YOUR-PROJECT/logs/server-accesslog-stackdriver"  receiveTimestamp: "2020-04-28T19:55:32.185229100Z"}

Interpret Cloud Service Mesh telemetry

The following sections explain how to check the status of your mesh and reviewthe various telemetry that contain helpful details to assist yourtroubleshooting.

Interpret control plane metrics

Diagnose configuration delays

Interpret traffic logs

The following information explains how to use the traffic logs to troubleshootconnection problems. Traffic logs are enabled by default.

Cloud Service Mesh exports data into traffic logs that can help you debug thefollowing types of problems:

• Traffic flow and failures
• End-to-end request routing

Traffic logs are enabled by default for Cloud Service Mesh installations onGoogle Kubernetes Engine. You can enable traffic logs by re-runningasmcli install. Usethe same options that you originally installed but omit the custom overlay thatdisabled Stackdriver.

There are two types of traffic logs:

• Server access logs give a server-side view of requests. They are locatedunderserver-accesslog-stackdriver, attached to thek8s_container monitoredresource. Use the following URL syntax todisplay server-side access logs:

  https://console.cloud.google.com/logs/viewer?advancedFilter=logName="projects/PROJECT_ID/logs/server-accesslog-stackdriver"&project=PROJECT_ID

• Client access logs give a client-side view of requests. They are located underclient-accesslog-stackdriver, attached to thek8s_pod monitored resource.Use the following URL syntax to display client-side access logs:

  https://console.cloud.google.com/logs/viewer?advancedFilter=logName="projects/PROJECT_ID/logs/client-accesslog-stackdriver"&project=PROJECT_ID

Access logs contain the following information:

• HTTP request properties, such as ID, URL, size, latency, and common headers.
• Source and destination workload information, such as name, namespace, identity,and common labels.
• Source and destination canonical service and revision information.
• If tracing is enabled, the logs contain trace information, such as sampling,trace ID, and span ID.

Traffic logs may contain the following labels:

• route_name
• upstream_cluster
• X-Envoy-Original-Path

This is an example log entry:

{  "insertId": "1j84zg8g68vb62z",  "httpRequest": {    "requestMethod": "GET",    "requestUrl": "http://35.235.89.201:80/productpage",    "requestSize": "795",    "status": 200,    "responseSize": "7005",    "remoteIp": "10.168.0.26:0",    "serverIp": "10.36.3.153:9080",    "latency": "0.229384205s",    "protocol": "http"  },  "resource": {    "type": "k8s_container",    "labels": {      "cluster_name": "istio-e2e22",      "namespace_name": "istio-bookinfo-1-68819",      "container_name": "productpage",      "project_id": "***",      "location": "us-west2-a",      "pod_name": "productpage-v1-64794f5db4-8xbtf"    }  },  "timestamp": "2020-08-13T21:37:42.963881Z",  "severity": "INFO",  "labels": {    "protocol": "http",    "upstream_host": "127.0.0.1:9080",    "source_canonical_service": "istio-ingressgateway",    "source_namespace": "istio-system",    "x-envoy-original-path": "",    "source_canonical_revision": "latest",    "connection_id": "32",    "upstream_cluster": "inbound|9080|http|productpage.istio-bookinfo-1-68819.svc.cluster.local",    "requested_server_name": "outbound_.9080_._.productpage.istio-bookinfo-1-68819.svc.cluster.local",    "destination_version": "v1",    "destination_workload": "productpage-v1",    "source_workload": "istio-ingressgateway",    "destination_canonical_revision": "v1",    "mesh_uid": "cluster.local",    "source_principal": "spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account",    "x-envoy-original-dst-host": "",    "service_authentication_policy": "MUTUAL_TLS",    "destination_principal": "spiffe://cluster.local/ns/istio-bookinfo-1-68819/sa/bookinfo-productpage",    "response_flag": "-",    "log_sampled": "false",    "destination_service_host": "productpage.istio-bookinfo-1-68819.svc.cluster.local",    "destination_name": "productpage-v1-64794f5db4-8xbtf",    "destination_canonical_service": "productpage",    "destination_namespace": "istio-bookinfo-1-68819",    "source_name": "istio-ingressgateway-6845f6d664-lnfvp",    "source_app": "istio-ingressgateway",    "destination_app": "productpage",    "request_id": "39013650-4e62-9be2-9d25-78682dd27ea4",    "route_name": "default"  },  "logName": "projects/***/logs/server-accesslog-stackdriver",  "trace": "projects/***t/traces/466d77d15753cb4d7749ba5413b5f70f",  "receiveTimestamp": "2020-08-13T21:37:48.758673203Z",  "spanId": "633831cb1fda4fd5",  "traceSampled": true}

You can use this log in various ways:

• Integrate with Cloud Trace, which is an optional feature inCloud Service Mesh.
• Export traffic logs to BigQuery, where you can run queries likeselecting all requests take more than 5 seconds.
• Create log-based metrics.
• Troubleshoot404 and503 errors

Troubleshoot404 and503 errors

The following example explains how to use this log to troubleshoot when arequest fails with a404 or503 response code.

1. In the client access log, search for an entry like the following:

   httpRequest: {requestMethod: "GET"requestUrl: "://IP_ADDRESS/src/Util/PHP/eval-stdin.php"requestSize: "2088"status: 404responseSize: "75"remoteIp: "10.168.0.26:34165"serverIp: "10.36.3.149:8080"latency: "0.000371440s"protocol: "http"}

2. Navigate to the labels in the access log entry. Findtheresponse_flag field that looks like the following:

   response_flag: "NR"

   TheNR value is an acronym forNoRoute, which means no route was found for thedestination or there was no matching filter chain for a downstreamconnection. Similarly, you can use theresponse_flag label to troubleshoot503 errors also.

3. If you see503 errors in both the client and server access logs, check thatthe port names set for each service match the name of the protocol in usebetween them. For example, if a golang binary client connects to a golang serverusing HTTP, but the port is namedhttp2, the protocol will not auto-negotiatecorrectly.

For more information, seeresponse flags.

Interpret Envoy access logs

The following steps explain how to use the Envoy access logs to show trafficbetween both ends of a connection for troubleshooting purposes.

Envoy access logs are useful for diagnosing issues like:

• Traffic flow and failures
• End-to-end request routing

Envoy access logs are not enabled by default in Cloud Service Mesh and can beenabled for the clusters in a mesh.

You can troubleshoot connection or request failures by generating activity inyour application that triggers an HTTP request, then inspecting the associatedrequest in the source or destination logs.

If you trigger a request appears and it appears in the source proxy logs, itindicates thatiptables traffic redirection is working correctly and the Envoyproxy is handling traffic. If you see errors in the logs, generate an Envoyconfiguration dump and check the Envoy cluster configuration to ensure it iscorrect. If you see the request but the log has no errors, check the destinationproxy logs instead.

If the request appears in the destination proxy logs, it indicates that the meshitself is working correctly. If you see an error instead, run an Envoyconfiguration dump and verify the correct values for the traffic port set inthe listener configuration.

If the problem persists after performing the previous steps, Envoy might beunable to auto-negotiate the protocol between the sidecar and its applicationpod. Ensure that the Kubernetes service port name, for examplehttp-80,matches the protocol that the application uses.

Use Logs Explorer to query logs

You can use theLogs Explorer interfaceto query specific Envoy access logs. For example, to query all requests thathaveMULTUAL_TLS enabled and use protocolgrpc, append following to theserver access logs query:

labels.protocol="grpc" labels.service_authentication_policy="MULTUAL_TLS"

Set an access log policy

View service or workload-specific information

If you have an issue with a specific service or workload rather than a mesh-wideproblem, inspect the individual Envoy proxies and gather relevant informationfrom them. To gather information about a particular workload and its proxies,you can usepilot-agent:

kubectl execPOD_NAME -nNAMESPACE_NAME -c istio-proxy -- pilot-agent request GETSCOPE

For more information, seeAn Introduction to the ss Command.

istio-proxy andistio-init logs

In addition, retrieve theistio-proxy logs and review its contents for anyerrors that might suggest the cause of the problem:

kubectl logsPOD_NAME -nNAMESPACE_NAME -c istio-proxy

You can do the same for theinit container:

kubectl logsPOD_NAME -nNAMESPACE_NAME -c istio-init

What's next

• Integrate with Cloud Trace.Cloud Trace is anoptional featurein Cloud Service Mesh.

• Export traffic logs to BigQuery.

• Create log-based metrics.