Envoy Logs (Beta)
Stream Envoy logs directly to Panther over HTTPS
Envoy log ingestion is in open beta starting with Panther version 1.79, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Envoy access logs by streaming them to an HTTP Source, after they are forwarded with Fluent Bit.
- 1.In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
- 2.Click Create New.
- 3.Search for "Envoy," then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
- 4.Click Start Setup.
- 5.
- When setting the Stream Type for the source, we recommend choosing Lines, as it corresponds to how Envoy outputs their logs, line by line.
- When setting the Auth method for the source, we recommend using Shared Secret. Save the header name and value in a secure location, as you will need them in Step 3.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.
While it's possible to customize your Envoy logs by adding or removing fields, Panther's Envoy.Access schema is built to support the default log format. To prevent classification failures, use the default format for your log configuration.
- 1.Make the following additions to your
envoy.yml
configuration file:- At the root level, add the following snippet to enable admin access logging:admin:access_log_path: "access.log"
- Within the resources section, add the following snippet to each resource(s) you wish to enable access logging for:access_log:- name: envoy.access_loggers.filetyped_config:"@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLogpath: "access.log"
If you customize the access log file path (access.log
above), make sure to also point to the appropriate location in your Fluent Bit configuration. - 2.Restart your Envoy proxy, ensuring it is pointing to this updated configuration file, by running
envoy -c envoy.yml
.
- 1.
- 2.
[INPUT]
variables:- Name: Set to
tail
. - Path: Set to the path to your log file.
- Parser: Set to
envoy
.
[OUTPUT]
variables:- Host: Enter your Panther URL.
- Example:
logs.instance-name.runpanther.net
- URI: Enter the end of the HTTP Source ingest URL (generated in Step 1 of this process), starting with
/http/
.- Example:
/http/cb015ee4-543c-4489-9f4b-testaa16d7a
- Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
- Format: Set to
json_lines
- Name: Set to
http
. - TLS: Set to
ON
. - Port: Set to
443
.
[SERVICE]Flush 1[INPUT]Name tail# This path depends on your envoy.yml configurationPath /var/log/envoy/access.logParser envoy[OUTPUT]Name httpMatch *Host logs.pre-alpha.runpanther.netPort 443URI /http/6897ec53-9c4c-4fc7-a8c8-faf7b29571de# Ensure the x-sender-header name matches the header name# you provided when creating the HTTP source in PantherHeader x-sender-header {YOUR_SECRET_HERE}Format json_linesTLS OnTLS.Verify On - 3.Start Fluent Bit, passing the path to your new configuration file and the path to the
parsers.conf
file. Theenvoy
parser is available with the default parser configuration that ships with Fluent Bit.- Example:
fluent-bit -c fluent.conf -R /var/etc/fluent-bit/parsers.conf
The following defines the Envoy access log schema:
schema: Envoy.Access
description: Envoy access logs over HTTP using FluentBit
fields:
- name: start_time
description: Start time of the request.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: method
description: HTTP request method, such as GET, POST, etc.
type: string
- name: path
description: The URI path of the request.
type: string
- name: protocol
description: The HTTP protocol version.
type: string
- name: code
description: The HTTP status code of the response.
type: string
- name: response_flags
description: Additional flags related to the response.
type: string
- name: bytes_received
description: Bytes received from the client.
type: string
- name: bytes_sent
description: Bytes sent to the client.
type: string
- name: duration
description: Total duration of the request.
type: string
- name: x_envoy_upstream_service_time
description: Time spent in the upstream service.
type: string
- name: x_forwarded_for
description: X-Forwarded-For header (if present).
type: string
- name: user_agent
description: User-agent string from the request header.
type: string
- name: request_id
description: The request ID header value.
type: string
- name: authority
description: The authority header value.
type: string
- name: upstream_host
description: The upstream host selected for the request.
type: string
Last modified 1d ago