DEV Community: Nitish Malhotra The latest articles on DEV Community by Nitish Malhotra (@nitishm). https://dev.to/nitishm https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F118262%2F6610943a-3799-4990-b612-3083a3023951.jpeg DEV Community: Nitish Malhotra https://dev.to/nitishm en Engarde : Parse Envoy and istio-proxy logs like a champ Nitish Malhotra Mon, 09 Sep 2019 00:27:25 +0000 https://dev.to/nitishm/engarde-parse-envoy-and-istio-proxy-logs-like-a-champ-219m https://dev.to/nitishm/engarde-parse-envoy-and-istio-proxy-logs-like-a-champ-219m <h1> Envoy Proxy </h1> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--GHmMN7-S--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/envoyproxy/artwork/master/PNG/Envoy_Logo_Final_PANTONE.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--GHmMN7-S--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://raw.githubusercontent.com/envoyproxy/artwork/master/PNG/Envoy_Logo_Final_PANTONE.png" alt="Alt Envoy Logo"></a></p> <p><a href="https://www.envoyproxy.io/">Envoy</a> is a modern, high performance, small footprint open source edge and service proxy, designed for cloud-native applications. Originally written and deployed at Lyft, Envoy has become the proxy of choice for a variety of service-meshes including the more popular Istio Service Mesh.</p> <h1> Istio Service Mesh </h1> <p>Developed by a collaboration between Google, IBM, and Lyft, <a href="https://istio.io/">Istio</a> is an open-source service mesh that lets you connect, monitor, and secure microservices deployed on-premise, in the cloud, or with orchestration platforms like Kubernetes.</p> <p>Istio uses Envoy sidecar proxies aka istio-proxy as its data plane. In Kubernetes these proxies as deployed as Sidecars in all participating pods (either manually or automatically using sidecar injection) and are programmed to intercept all inbound and outbound traffic through iptable redirection.</p> <h1> Envoy Access Logs </h1> <p>Envoy Proxy provides a configurable access logging mechanism. These access logs provide an extensive amount of information that can be used to troubleshoot issues.</p> <p>Most envoy proxy deployments use the <em>default</em> log format, as shown below,<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%" "%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n </code></pre></div> <p>which results in log lines as follows,<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[2016-04-15T20:17:00.310Z] "POST /api/v1/locations HTTP/2" 204 - 154 0 226 100 "10.0.35.28" "nsq2http" "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2" "locations" "tcp://10.0.2.1:80" </code></pre></div> <p>These logs, even in their default format, <strong>pack a lot of useful information</strong> that can come in handy in debugging issues with the L4-L7 proxy.</p> <p>A recent tweet by <a href="https://twitter.com/askmeegs">Meghan O'Keefe</a> from Google, provides a pretty visual representation of each field in the default envoy log (shown below).</p> <blockquote class="ltag__twitter-tweet"> <div class="ltag__twitter-tweet__media"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pK6c-nVN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://pbs.twimg.com/media/EA6X3jiX4AYh5X_.jpg" alt="unknown tweet media content"> </div> <div class="ltag__twitter-tweet__main"> <div class="ltag__twitter-tweet__header"> <img class="ltag__twitter-tweet__profile-image" src="https://res.cloudinary.com/practicaldev/image/fetch/s--gIq-Bl-0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://pbs.twimg.com/profile_images/1049698384804638720/Sm6KotBp_normal.jpg" alt="Megan O'Keefe profile image"> <div class="ltag__twitter-tweet__full-name"> Megan O'Keefe </div> <div class="ltag__twitter-tweet__username"> @askmeegs </div> <div class="ltag__twitter-tweet__twitter-logo"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--P4t6ys1m--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://practicaldev-herokuapp-com.freetls.fastly.net/assets/twitter-f95605061196010f91e64806688390eb1a4dbc9e913682e043eb8b1e06ca484f.svg" alt="twitter logo"> </div> </div> <div class="ltag__twitter-tweet__body"> Have you ever looked at Istio's proxy logs and thought: 😱 ? <br><br>These are <a href="https://twitter.com/EnvoyProxy">@EnvoyProxy</a> access logs, and contain lots of helpful info! <a href="https://t.co/SbV75hDrON">envoyproxy.io/docs/envoy/lat…</a> </div> <div class="ltag__twitter-tweet__date"> 20:43 PM - 01 Aug 2019 </div> <div class="ltag__twitter-tweet__actions"> <a href="https://twitter.com/intent/tweet?in_reply_to=1157029140693995521" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-reply-action.svg" alt="Twitter reply action"> </a> <a href="https://twitter.com/intent/retweet?tweet_id=1157029140693995521" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-retweet-action.svg" alt="Twitter retweet action"> </a> 30 <a href="https://twitter.com/intent/like?tweet_id=1157029140693995521" class="ltag__twitter-tweet__actions__button"> <img src="/assets/twitter-like-action.svg" alt="Twitter like action"> </a> 100 </div> </div> </blockquote> <p>In addition to the tweet, this <a href="https://medium.com/understanding-envoy-proxy-and-ambassador-http-access-logs-fee7802a2ec5">medium</a> blog by Richard Li (CEO, Datawire - the guys who brought you Ambassador), titled <strong>"Understanding Envoy Proxy HTTP Access Logs"</strong>, provides more details on each of the fields of the default format log.</p> <p>If you've ever had to deal with these logs like me, you know how difficult it is to grok each of the fields manually as the lines scroll by at the speed of light, especially in a busy network.</p> <p>To address this problem and to make more sense of these cryptic log lines, I have created an open-source tool that I would like to present to the community.</p> <h1> Introducing <a href="https://github.com/nitishm/engarde">Engarde</a> </h1> <p><em>(Envoy + On Gaurd = Engarde ... Get it 😉 ?? Bah neverming, I tried)</em><br> Engarde is an open-source utility written in Go with (a lot of) help from the open-source <a href="//github.com/vjeantet/grok">grok</a> package, that allows you to parse envoy access logs like a champ. In addition Engarde also supports the default format used by the istio-proxy (shown below).<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \"%DYNAMIC_METADATA(istio.mixer:status)%\" %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\" %UPSTREAM_CLUSTER% %UPSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_LOCAL_ADDRESS% %DOWNSTREAM_REMOTE_ADDRESS% %REQUESTED_SERVER_NAME%\n </code></pre></div> <p>Engarde reads in the envoy logs, line by line, via STDIN, marshaling them into JSON objects, for enhanced readability, and eventually outputting them back to the terminal over STDOUT. </p> <h2> Getting Started with Engarde </h2> <p>To get started with engarde just visit <a href="https://github.com/nitishm/engarde">https://github.com/nitishm/engarde</a> and follow the instructions provided in the <code>README</code>.</p> <h2> Sample </h2> <p><strong>Envoy Default Format</strong><br> </p> <div class="highlight"><pre class="highlight plaintext"><code>echo '[2016-04-15T20:17:00.310Z] "POST /api/v1/locations HTTP/2" 204 - 154 0 226 100 "10.0.35.28" "nsq2http" "cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2" "locations" "tcp://10.0.2.1:80"' | engarde | jq </code></pre></div> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"authority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"locations"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_received"</span><span class="p">:</span><span class="w"> </span><span class="s2">"154"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_sent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"duration"</span><span class="p">:</span><span class="w"> </span><span class="s2">"226"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"POST"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP/2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_flags"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"204"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2016-04-15T20:17:00.310Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tcp://10.0.2.1:80"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_service_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"100"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri_path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/v1/locations"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"nsq2http"</span><span class="p">,</span><span class="w"> </span><span class="nl">"original_message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[2016-04-15T20:17:00.310Z] </span><span class="se">\"</span><span class="s2">POST /api/v1/locations HTTP/2</span><span class="se">\"</span><span class="s2"> 204 - 154 0 226 100 </span><span class="se">\"</span><span class="s2">10.0.35.28</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">nsq2http</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">cc21d9b0-cf5c-432b-8c7e-98aeb7988cd2</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">locations</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">tcp://10.0.2.1:80</span><span class="se">\"</span><span class="s2">"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p><strong>Istio-proxy Default Format</strong><br> </p> <div class="highlight"><pre class="highlight plaintext"><code>kubectl logs -f foo-app-1 -c istio-proxy | engarde --use-istio | jq </code></pre></div> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"authority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"hello-world"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_received"</span><span class="p">:</span><span class="w"> </span><span class="s2">"148"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bytes_sent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"171"</span><span class="p">,</span><span class="w"> </span><span class="nl">"duration"</span><span class="p">:</span><span class="w"> </span><span class="s2">"4"</span><span class="p">,</span><span class="w"> </span><span class="nl">"method"</span><span class="p">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="nl">"protocol"</span><span class="p">:</span><span class="w"> </span><span class="s2">"HTTP/1.1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"c0ce81db-4f5a-9134-8a5c-f8c076c91652"</span><span class="p">,</span><span class="w"> </span><span class="nl">"response_flags"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"200"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2019-09-03T05:37:41.341Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.89.50:9001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_service_time"</span><span class="p">:</span><span class="w"> </span><span class="s2">"3"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_cluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"outbound|80||hello-world.default.svc.cluster.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"upstream_local"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"downstream_local"</span><span class="p">:</span><span class="w"> </span><span class="s2">"10.97.86.53:80"</span><span class="p">,</span><span class="w"> </span><span class="nl">"downstream_remote"</span><span class="p">:</span><span class="w"> </span><span class="s2">"192.168.167.113:39953"</span><span class="p">,</span><span class="w"> </span><span class="nl">"uri_path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/index"</span><span class="p">,</span><span class="w"> </span><span class="nl">"user_agent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mixer_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"original_message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[2019-09-03T05:37:41.341Z] </span><span class="se">\"</span><span class="s2">GET /index HTTP/1.1</span><span class="se">\"</span><span class="s2"> 200 - </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> 148 171 4 3 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">c0ce81db-4f5a-9134-8a5c-f8c076c91652</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">hello-world</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">192.168.89.50:9001</span><span class="se">\"</span><span class="s2"> outbound|80||hello-world.default.svc.cluster.local - 10.97.86.53:80 192.168.167.113:39953 -"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre></div> <p>The real power of engarde can only be harnessed when it is combined with <code>jq</code>. </p> <h1> JQ + Engarde </h1> <p><code>jq</code> is a lightweight and flexible command-line JSON processor. <code>jq</code> is like <code>sed</code> for JSON data - you can use it to slice and filter and map and transform structured data with the same ease that sed, awk, grep and friends let you play with text.</p> <p>As shown in the examples above <code>jq</code>, at its most basic, pretty prints JSON strings into readable objects to your terminal. However, <code>jq</code> is capable of a lot more. </p> <p>Since this blog is about <code>Engarde</code> I will not dive too deep into the capabilities of <code>jq</code> (which easily affords a post of its own). <br> Instead lets look at how we can use <code>jq</code> to filter envoy access logs by <code>status_code</code> and output only a subset of fields to STDOUT,<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>kubectl logs -f foo-app-1 -c istio-proxy | engarde --use-istio | jq -c 'select( .status_code = 200) | {log: .original_message, URI: .uri_path, UpstreamCluster: .upstream_cluster}' | jq </code></pre></div> <div class="highlight"><pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"log"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[2019-09-06T19:11:40.645Z] </span><span class="se">\"</span><span class="s2">GET /v1/health/service/xyz?index=0&amp;wait=10s HTTP/1.1</span><span class="se">\"</span><span class="s2"> 500 - </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> 0 23 0 0 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Python-urllib/2.7</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">83484d3a-fedb-96f5-a653-1c38fa1ac2e4</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">10.15.12.33:8500</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">10.15.12.33:8500</span><span class="se">\"</span><span class="s2"> PassthroughCluster - 10.15.12.33:8500 192.168.89.3:34780 -"</span><span class="p">,</span><span class="w"> </span><span class="nl">"URI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/v1/health/foobar"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UpstreamCluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PassthroughCluster"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"log"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[2019-09-06T19:11:42.218Z] </span><span class="se">\"</span><span class="s2">GET /metrics HTTP/1.1</span><span class="se">\"</span><span class="s2"> 200 - </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> 0 0 1 0 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Prometheus/2.9.1</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">e8810c98-9e10-9b2c-837e-987ec3ed3614</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">192.168.89.3:9001</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">127.0.0.1:9001</span><span class="se">\"</span><span class="s2"> inbound|80|foo-worker|hello-world.foo-namespace.svc.cluster.local - 192.168.89.3:9001 192.168.167.109:53458 -"</span><span class="p">,</span><span class="w"> </span><span class="nl">"URI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/metrics"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UpstreamCluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"inbound|80|foo-worker|hello-world.foo-namespace.svc.cluster.local"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"log"</span><span class="p">:</span><span class="w"> </span><span class="s2">"[2019-09-06T19:11:47.218Z] </span><span class="se">\"</span><span class="s2">GET /metrics HTTP/1.1</span><span class="se">\"</span><span class="s2"> 200 - </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> 0 0 1 0 </span><span class="se">\"</span><span class="s2">-</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">Prometheus/2.9.1</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">f4cd2b2b-7202-9823-a8cd-7a150c6b5c4a</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">192.168.89.3:9001</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="s2">127.0.0.1:9001</span><span class="se">\"</span><span class="s2"> inbound|80|foo-worker|hello-world.foo-namespace.svc.cluster.local - 192.168.89.3:9001 192.168.167.109:53458 -"</span><span class="p">,</span><span class="w"> </span><span class="nl">"URI"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/metrics"</span><span class="p">,</span><span class="w"> </span><span class="nl">"UpstreamCluster"</span><span class="p">:</span><span class="w"> </span><span class="s2">"inbound|80|foo-worker|hello-world.foo-namespace.svc.cluster.local"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="err">...</span><span class="w"> </span></code></pre></div> <h1> Fin </h1> <p>Feel free to share some feedback either directly or through opening an issue on <a href="https://github.com/nitishm">Github</a>. Would love to hear what you think about it and if you wish to see any enhancements.</p> <p>And don't forget to ⭐ the project on GitHub and follow me at <a href="https://github.com/nitishm">https://github.com/nitishm</a>.</p> envoy istio go showdev