Logging Caller Service Names in Consul Access Logs Using Envoy

Overview

In Consul's service mesh, understanding which services are communicating can enhance observability and debugging. Although the Consul documentation does not directly address this requirement, Envoy provides mechanisms to extract and log service identities.

Prerequisites

• Consul Service Mesh: Ensure Consul is configured with Envoy as the service proxy.

• Envoy Proxy Knowledge: Familiarity with Envoy configuration and its observability features.

Key Envoy Fields

Envoy provides the following placeholders to capture service identity information in access logs:

• %DOWNSTREAM_LOCAL_URI_SAN%: Identifies the local service (the one receiving the request).
• %DOWNSTREAM_PEER_URI_SAN%: Identifies the peer service (the one making the request).

These placeholders allows to log which service is calling and which service is being called, providing detailed insights into service-to-service communication.

Enable Access Logs

Access log configurations for Envoy proxies in Consul are typically set in the proxy-defaults configuration. You can include placeholders like %DOWNSTREAM_LOCAL_URI_SAN% and %DOWNSTREAM_PEER_URI_SAN% in the Envoy access log format.

The following example is a minimal configuration for enabling access logs :

Kind = "proxy-defaults"
Name = "global"
AccessLogs {
Enabled = true
}

All proxies, including sidecars and gateways, emit access logs when the behavior is enabled. Both inbound and outbound traffic through the proxy are logged, including requests made directly to Envoy's administration interface.

Envoy uses command operators to expose information about application traffic. You can use these fields to customize the access logs that proxies emit. To use a custom access log, in the proxy-defaults configuration entry, set JSONFormat to the string representation of the desired JSON.
Nesting is supported.

Sample Custom Logs : 

Kind = "proxy-defaults"
Name = "global"
AccessLogs {
Enabled = true
JSONFormat = <<EOF
{
"myCustomKey" : {
"callerService" : "%DOWNSTREAM_LOCAL_URI_SAN%",
"callingService" : "%DOWNSTREAM_PEER_URI_SAN%"
}
}
EOF
}

Please Note :

1. If you enable access logs after the Envoy proxy was started, access logs for the administration interface are not captured until you restart the proxy.
2. To make %DOWNSTREAM_LOCAL_URI_SAN% and %DOWNSTREAM_PEER_URI_SAN% effective, mTLS must be enabled because these placeholders rely on the TLS certificates exchanged during the handshake.

   connect {
   enabled = true
   ca_provider = "consul"
   }

Conclusion

By leveraging Envoy's %DOWNSTREAM_LOCAL_URI_SAN% and %DOWNSTREAM_PEER_URI_SAN% placeholders, you can log and analyse caller service names effectively in a Consul service mesh environment. This method ensures enhanced observability and better debugging capabilities for your microservices architecture.

References

• Envoy Access Logs Documentation
• Access Logs
• Consul Seervice Mesh Guide
• Proxy Defaults Configuration Reference
• Deploy Sidecar Services
• Envoy Proxy Configuration for Service Mesh
• Custom Log Format