# Envoy Logs

## Overview

Panther supports ingesting [Envoy access](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage) logs by streaming them to an [HTTP Source](/data-onboarding/data-transports/http.md), after they are forwarded with [Fluent Bit.](https://docs.fluentbit.io/manual/)

## How to onboard Envoy logs to Panther

### Step 1: Create a new Envoy log source in Panther

1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for "Envoy," then click its tile.
   * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.
5. Follow Panther's [instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * When setting the **Auth method** for the source, we recommend using [**Shared Secret**](/data-onboarding/data-transports/http.md#shared-secret). Save the header name and value in a secure location, as you will need them in Step 3.
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](/data-onboarding/data-transports/http.md#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed.

### Step 2: Configure Envoy Logging

{% hint style="info" %}
While it's possible to customize your Envoy logs by adding or removing fields, Panther's [Envoy.Access schema](#envoy.access) is built to support the default log format. To prevent classification failures, use the default format for your log configuration.
{% endhint %}

1. Make the following additions to your `envoy.yml` configuration file:
   * At the root level, add the following snippet to enable admin access logging:

     ```yaml
     admin:
       access_log_path: "access.log"
     ```
   * Within the resources section, add the following snippet to each resource(s) you wish to enable access logging for:

     ```yaml
      access_log:
      - name: envoy.access_loggers.file
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
          path: "access.log"
     ```

{% hint style="info" %}
If you customize the access log file path (`access.log` above), make sure to also point to the appropriate location in your Fluent Bit configuration.
{% endhint %}

2. Restart your Envoy proxy, ensuring it is pointing to this updated configuration file, by running `envoy -c envoy.yml`.

### Step 3: Configure Fluent Bit

1. Follow the [Getting Started with Fluent Bit instructions](https://docs.fluentbit.io/manual/installation/getting-started-with-fluent-bit) to install Fluent Bit as a service.
2. Create a [Fluent Bit configuration file](https://docs.fluentbit.io/manual/administration/configuring-fluent-bit/classic-mode/configuration-file), and set the following fields:

   * `[INPUT]` variables:
     * **Name:** Set to `tail`.
     * **Path**: Set to the path to your log file.
     * **Parser**: Set to `envoy`.
   * `[OUTPUT]` variables:
     * **Host**: Enter your Panther URL.
       * Example: `logs.instance-name.runpanther.net`
     * **URI**: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with `/http/`.
       * Example: `/http/cb015ee4-543c-4489-9f4b-testaa16d7a`
     * **Header**: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
     * **Format**: Set to `json_lines`
     * **Name**: Set to `http`.
     * **TLS**: Set to `ON`.
     * **Port**: Set to `443`.

   ```editorconfig
   [SERVICE]
       Flush      1
   [INPUT]
       Name       tail
       # This path depends on your envoy.yml configuration
       Path       /var/log/envoy/access.log
       Parser     envoy

   [OUTPUT]
       Name       http
       Match      *
       Host       logs.pre-alpha.runpanther.net
       Port       443
       URI        /http/6897ec53-9c4c-4fc7-a8c8-faf7b29571de
       # Ensure the x-sender-header name matches the header name
       # you provided when creating the HTTP source in Panther
       Header     x-sender-header {YOUR_SECRET_HERE}
       Format     json_lines
       TLS        On
       TLS.Verify On
   ```
3. Start Fluent Bit, passing the path to your new configuration file and the path to the `parsers.conf` file. The `envoy` parser is available with the default parser configuration that ships with Fluent Bit.
   * Example: `fluent-bit -c fluent.conf -R /var/etc/fluent-bit/parsers.conf`

## Supported Log Types

### Envoy.Access

The following defines the Envoy access log schema:

```yaml
schema: Envoy.Access
description: Envoy access logs over HTTP using FluentBit
fields:
  - name: start_time
    description: Start time of the request.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: method
    description: HTTP request method, such as GET, POST, etc.
    type: string
  - name: path
    description: The URI path of the request.
    type: string
  - name: protocol
    description: The HTTP protocol version.
    type: string
  - name: code
    description: The HTTP status code of the response.
    type: string
  - name: response_flags
    description: Additional flags related to the response.
    type: string
  - name: bytes_received
    description: Bytes received from the client.
    type: string
  - name: bytes_sent
    description: Bytes sent to the client.
    type: string
  - name: duration
    description: Total duration of the request.
    type: string
  - name: x_envoy_upstream_service_time
    description: Time spent in the upstream service.
    type: string
  - name: x_forwarded_for
    description: X-Forwarded-For header (if present).
    type: string
  - name: user_agent
    description: User-agent string from the request header.
    type: string
  - name: request_id
    description: The request ID header value.
    type: string
  - name: authority
    description: The authority header value.
    type: string
  - name: upstream_host
    description: The upstream host selected for the request.
    type: string
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/envoy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.