Applications (Envoy sidecars) that generate audit logs on the service mesh upon receiving requests have the following log format.
JSON representation
{
"bytes_sent": string,
"x_forwarded_for": string,
"severity_text": string,
"observed_time_unix_nano": integer,
"user_agent": string,
"x_request_id": string,
"start_time": string,
"upstream_local_address": string,
"connection_termination_details": string,
"severity_number": integer,
"resource": {
object
},
"x_envoy_upstream_service_time": string,
"response_code_details": string,
"upstream_host": string,
"duration": string,
"upstream_cluster": string,
"upstream_transport_failure_reason": string,
"authority": string,
"username": string,
"protocol": string,
"route_name": string,
"requested_server_name": string,
"method": string,
"time_unix_nano": integer,
"bytes_received": string,
"path": string,
"response_flags": string,
"x_goog_api_client": string,
"body": {
object
},
"downstream_local_address": string,
"downstream_remote_address": string,
"response_code": string
}
Fields | |
---|---|
bytes_sent |
The bytes sent in the body. For a websocket connection, it also includes the bytes sent in the response header. For example, |
x_forwarded_for |
The IP addresses visited by a request from the client to the server. For example, |
severity_text |
Information about the severity level of the log entry. It might be an empty value. |
observed_time_unix_nano |
The UNIX epoch time in nanoseconds of the log entry collection. For example, |
user_agent |
The name of the software that retrieves, renders, and facilitates end-user interaction with the web content. It also refers to the user interface implemented using web technologies. For example, |
x_request_id |
The unique ID of a single request. For example, |
start_time |
The start time of the request up to milliseconds. For example, |
upstream_local_address |
The local address of the upstream connection. If it is an IP address, it includes the address and the port. For example, |
connection_termination_details |
Additional information about why Envoy terminated the connection. It might be an empty value. |
severity_number |
The severity level of the log entry. For example, |
resource |
The attributes of the Envoy resource that produced the log entry. These attributes are in key-value pairs in the object. For example, { "log_name": string, "cluster_name": string, "node_name": string, "zone_name": string } |
x_envoy_upstream_service_time |
The time in milliseconds that the upstream host spent processing the request. For example, |
response_code_details |
Additional information about the response code, such as who set it (the upstream or Envoy) and why. For example, |
upstream_host |
The URL of the upstream host. For example, |
duration |
Total duration in milliseconds of the request from the start time to the last byte out. For example, |
upstream_cluster |
The cluster to which the upstream host belongs. For example, |
upstream_transport_failure_reason |
If the upstream connection fails due to a transport socket, it provides the failure reason from the transport socket. The format of this field depends on the configured upstream transport socket. For example, |
authority |
The host and port information from the target URI. For example, |
username |
The user identity that initiated the request. For example, |
protocol |
The protocol type of the request. For example, |
route_name |
The name of the route. For example, |
requested_server_name |
The value set on the SSL connection socket for Server Name Indication (SNI). For example, |
method |
The name of the method. For example, |
time_unix_nano |
The UNIX epoch time in nanoseconds of the log entry collection. For example, |
bytes_received |
The bytes received in the body. For example, |
path |
The path of the HTTP request. For example, |
response_flags |
Additional details about the response or connection, if any. For example, |
x_goog_api_client |
The API client identification. It might be an empty value. |
body |
The request body. It might be an empty value. |
downstream_local_address |
The local address of the downstream connection. If it is an IP address, it includes the address and the port. For example, |
downstream_remote_address |
The remote address of the downstream connection. If it is an IP address, it includes the address and the port. For example, |
response_code |
The HTTP response code. Possible values:
|