Envoy Logs (Beta)

Stream Envoy logs directly to Panther over HTTPS

Overview

Envoy log ingestion is in open beta starting with Panther version 1.79, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Envoy access logs by streaming them to an HTTP Source, after they are forwarded with Fluent Bit.

How to onboard Envoy logs to Panther

Step 1: Create a new Envoy log source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Envoy," then click its tile.

    • In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.

  4. Click Start Setup.

  5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

    • When setting the Auth method for the source, we recommend using Shared Secret. Save the header name and value in a secure location, as you will need them in Step 3.

    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure Envoy Logging

While it's possible to customize your Envoy logs by adding or removing fields, Panther's Envoy.Access schema is built to support the default log format. To prevent classification failures, use the default format for your log configuration.

  1. Make the following additions to your envoy.yml configuration file:

    • At the root level, add the following snippet to enable admin access logging:

      admin:
        access_log_path: "access.log"
    • Within the resources section, add the following snippet to each resource(s) you wish to enable access logging for:

       access_log:
       - name: envoy.access_loggers.file
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
           path: "access.log"

    If you customize the access log file path (access.log above), make sure to also point to the appropriate location in your Fluent Bit configuration.

  2. Restart your Envoy proxy, ensuring it is pointing to this updated configuration file, by running envoy -c envoy.yml.

Step 3: Configure Fluent Bit

  1. Follow the Getting Started with Fluent Bit instructions to install Fluent Bit as a service.

  2. Create a Fluent Bit configuration file, and set the following fields:

    • [INPUT] variables:

      • Name: Set to tail.

      • Path: Set to the path to your log file.

      • Parser: Set to envoy.

    • [OUTPUT] variables:

      • Host: Enter your Panther URL.

        • Example: logs.instance-name.runpanther.net

      • URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with /http/.

        • Example: /http/cb015ee4-543c-4489-9f4b-testaa16d7a

      • Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.

      • Format: Set to json_lines

      • Name: Set to http.

      • TLS: Set to ON.

      • Port: Set to 443.

    [SERVICE]
        Flush      1
    [INPUT]
        Name       tail
        # This path depends on your envoy.yml configuration
        Path       /var/log/envoy/access.log
        Parser     envoy
    
    [OUTPUT]
        Name       http
        Match      *
        Host       logs.pre-alpha.runpanther.net
        Port       443
        URI        /http/6897ec53-9c4c-4fc7-a8c8-faf7b29571de
        # Ensure the x-sender-header name matches the header name
        # you provided when creating the HTTP source in Panther
        Header     x-sender-header {YOUR_SECRET_HERE}
        Format     json_lines
        TLS        On
        TLS.Verify On
  3. Start Fluent Bit, passing the path to your new configuration file and the path to the parsers.conf file. The envoy parser is available with the default parser configuration that ships with Fluent Bit.

    • Example: fluent-bit -c fluent.conf -R /var/etc/fluent-bit/parsers.conf

Supported Log Types

Envoy.Access

The following defines the Envoy access log schema:

schema: Envoy.Access
description: Envoy access logs over HTTP using FluentBit
fields:
  - name: start_time
    description: Start time of the request.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: method
    description: HTTP request method, such as GET, POST, etc.
    type: string
  - name: path
    description: The URI path of the request.
    type: string
  - name: protocol
    description: The HTTP protocol version.
    type: string
  - name: code
    description: The HTTP status code of the response.
    type: string
  - name: response_flags
    description: Additional flags related to the response.
    type: string
  - name: bytes_received
    description: Bytes received from the client.
    type: string
  - name: bytes_sent
    description: Bytes sent to the client.
    type: string
  - name: duration
    description: Total duration of the request.
    type: string
  - name: x_envoy_upstream_service_time
    description: Time spent in the upstream service.
    type: string
  - name: x_forwarded_for
    description: X-Forwarded-For header (if present).
    type: string
  - name: user_agent
    description: User-agent string from the request header.
    type: string
  - name: request_id
    description: The request ID header value.
    type: string
  - name: authority
    description: The authority header value.
    type: string
  - name: upstream_host
    description: The upstream host selected for the request.
    type: string

Last updated