Links

Envoy Logs (Beta)

Stream Envoy logs directly to Panther over HTTPS

Overview

Envoy log ingestion is in open beta starting with Panther version 1.79, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Envoy access logs by streaming them to an HTTP Source, after they are forwarded with Fluent Bit.

How to onboard Envoy logs to Panther

Step 1: Create a new Envoy log source in Panther

  1. 1.
    In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
  2. 2.
    Click Create New.
  3. 3.
    Search for "Envoy," then click its tile.
    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
  4. 4.
    Click Start Setup.
  5. 5.
    Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
    • When setting the Stream Type for the source, we recommend choosing Lines, as it corresponds to how Envoy outputs their logs, line by line.
    • When setting the Auth method for the source, we recommend using Shared Secret. Save the header name and value in a secure location, as you will need them in Step 3.
    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.
    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure Envoy Logging

While it's possible to customize your Envoy logs by adding or removing fields, Panther's Envoy.Access schema is built to support the default log format. To prevent classification failures, use the default format for your log configuration.
  1. 1.
    Make the following additions to your envoy.yml configuration file:
    • At the root level, add the following snippet to enable admin access logging:
      admin:
      access_log_path: "access.log"
    • Within the resources section, add the following snippet to each resource(s) you wish to enable access logging for:
      access_log:
      - name: envoy.access_loggers.file
      typed_config:
      "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
      path: "access.log"
    If you customize the access log file path (access.log above), make sure to also point to the appropriate location in your Fluent Bit configuration.
  2. 2.
    Restart your Envoy proxy, ensuring it is pointing to this updated configuration file, by running envoy -c envoy.yml.

Step 3: Configure Fluent Bit

  1. 1.
    Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.
  2. 2.
    Create a Fluent Bit configuration file, and set the following fields:
    • [INPUT] variables:
      • Name: Set to tail.
      • Path: Set to the path to your log file.
      • Parser: Set to envoy.
    • [OUTPUT] variables:
      • Host: Enter your Panther URL.
        • Example: logs.instance-name.runpanther.net
      • URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.
        • Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a
      • Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
      • Format: Set to json_lines
      • Name: Set to http.
      • TLS: Set to ON.
      • Port: Set to 443.
    [SERVICE]
    Flush 1
    [INPUT]
    Name tail
    # This path depends on your envoy.yml configuration
    Path /var/log/envoy/access.log
    Parser envoy
    [OUTPUT]
    Name http
    Match *
    Host logs.pre-alpha.runpanther.net
    Port 443
    URI /http/6897ec53-9c4c-4fc7-a8c8-faf7b29571de
    # Ensure the x-sender-header name matches the header name
    # you provided when creating the HTTP source in Panther
    Header x-sender-header {YOUR_SECRET_HERE}
    Format json_lines
    TLS On
    TLS.Verify On
  3. 3.
    Start Fluent Bit, passing the path to your new configuration file and the path to the parsers.conf file. The envoy parser is available with the default parser configuration that ships with Fluent Bit.
    • Example: fluent-bit -c fluent.conf -R /var/etc/fluent-bit/parsers.conf

Supported Log Types

Envoy.Access

The following defines the Envoy access log schema:
schema: Envoy.Access
description: Envoy access logs over HTTP using FluentBit
fields:
- name: start_time
description: Start time of the request.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: method
description: HTTP request method, such as GET, POST, etc.
type: string
- name: path
description: The URI path of the request.
type: string
- name: protocol
description: The HTTP protocol version.
type: string
- name: code
description: The HTTP status code of the response.
type: string
- name: response_flags
description: Additional flags related to the response.
type: string
- name: bytes_received
description: Bytes received from the client.
type: string
- name: bytes_sent
description: Bytes sent to the client.
type: string
- name: duration
description: Total duration of the request.
type: string
- name: x_envoy_upstream_service_time
description: Time spent in the upstream service.
type: string
- name: x_forwarded_for
description: X-Forwarded-For header (if present).
type: string
- name: user_agent
description: User-agent string from the request header.
type: string
- name: request_id
description: The request ID header value.
type: string
- name: authority
description: The authority header value.
type: string
- name: upstream_host
description: The upstream host selected for the request.
type: string