Service Mesh Envoy access logs

Applications (Envoy sidecars) that generate audit logs on the service mesh upon receiving requests have the following log format.

JSON representation

{  "bytes_sent": string,  "x_forwarded_for": string,  "severity_text": string,  "observed_time_unix_nano": integer,  "user_agent": string,  "x_request_id": string,  "start_time": string,  "upstream_local_address": string,  "connection_termination_details": string,  "severity_number": integer,  "resource": {  object  },  "x_envoy_upstream_service_time": string,  "response_code_details": string,  "upstream_host": string,  "duration": string,  "upstream_cluster": string,  "upstream_transport_failure_reason": string,  "authority": string,  "username": string,  "protocol": string,  "route_name": string,  "requested_server_name": string,  "method": string,  "time_unix_nano": integer,  "bytes_received": string,  "path": string,  "response_flags": string,  "x_goog_api_client": string,  "body": {  object  },  "downstream_local_address": string,  "downstream_remote_address": string,  "response_code": string }
Fields
bytes_sent

string

The bytes sent in the body. For a websocket connection, it also includes the bytes sent in the response header. For example, "46259"
x_forwarded_for

string

The IP addresses visited by a request from the client to the server. For example, "10.200.0.1"
severity_text

string

Information about the severity level of the log entry. It might be an empty value.
observed_time_unix_nano

integer

The UNIX epoch time in nanoseconds of the log entry collection. For example, 1668556781041333000
user_agent

string

The name of the software that retrieves, renders, and facilitates end-user interaction with the web content. It also refers to the user interface implemented using web technologies. For example, "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
x_request_id

string

The unique ID of a single request. For example, "a4cadca4-662f-4a9c-af63-39a5b3275d8b"
start_time

string

The start time of the request up to milliseconds. For example, "2022-11-15T23:59:41.041Z"
upstream_local_address

string

The local address of the upstream connection. If it is an IP address, it includes the address and the port. For example, "127.0.0.6:42179"
connection_termination_details

string

Additional information about why Envoy terminated the connection. It might be an empty value.
severity_number

integer

The severity level of the log entry. For example, 0
resource

object

The attributes of the Envoy resource that produced the log entry. These attributes are in key-value pairs in the object. For example,

{  "log_name": string,  "cluster_name": string,  "node_name": string,  "zone_name": string }
x_envoy_upstream_service_time

string

The time in milliseconds that the upstream host spent processing the request. For example, "0"
response_code_details

string

Additional information about the response code, such as who set it (the upstream or Envoy) and why. For example, "via_upstream"
upstream_host

string

The URL of the upstream host. For example, "10.253.132.163:80"
duration

string

Total duration in milliseconds of the request from the start time to the last byte out. For example, "4"
upstream_cluster

string

The cluster to which the upstream host belongs. For example, "inbound|80||"
upstream_transport_failure_reason

string

If the upstream connection fails due to a transport socket, it provides the failure reason from the transport socket. The format of this field depends on the configured upstream transport socket. For example, "SSLV3_ALERT_CERTIFICATE_EXPIRED"
authority

string

The host and port information from the target URI. For example, "console.zone1.google.gdch.test"
username

string

The user identity that initiated the request. For example, "fop-cluster-admin@example.com"
protocol

string

The protocol type of the request. For example, "HTTP/1.1"
route_name

string

The name of the route. For example, "default"
requested_server_name

string

The value set on the SSL connection socket for Server Name Indication (SNI). For example, "outbound_.80_._.fleet-admin-platform-admin-ui.gpc-system.svc.cluster.local"
method

string

The name of the method. For example, "GET"
time_unix_nano

integer

The UNIX epoch time in nanoseconds of the log entry collection. For example, 1668556781041333000
bytes_received

string

The bytes received in the body. For example, "0"
path

string

The path of the HTTP request. For example, "/metrics"
response_flags

string

Additional details about the response or connection, if any. For example, "UH (no healthy upstream hosts)"
x_goog_api_client

string

The API client identification. It might be an empty value.
body

object

The request body. It might be an empty value.
downstream_local_address

string

The local address of the downstream connection. If it is an IP address, it includes the address and the port. For example, "10.253.132.163:80"
downstream_remote_address

string

The remote address of the downstream connection. If it is an IP address, it includes the address and the port. For example, "10.200.0.1:0"
response_code

string

The HTTP response code.

Possible values:

  • "200" (Success)
  • "403" (Forbidden request)
  • "500" (Error)